CloudGuard Dome9 Notification Policies
Notification Policies indicate how and when notifications of findings are sent. Findings can be sent by secure email, AWS SNS. They can also be forwarded to the Alerts dashboard.
Notification Policies are included in Compliance Policies and Log.ic Policies, to issue notifications of findings for either of these two features. The same Notification Policy can be used for both Compliance and Log.ic. In addition, more than one notification policy can be included in a Compliance or Log.ic policy (directing findings to multiple targets).
Notification Policies can have different types of notifications of findings. These include email reports, compliance reports, SNS notifications, and messages to external ticketing systems such as ServiceNow and PagerDuty using HTTP endpoints. Reports can be executive summary reports, or detailed reports of the compliance posture of your networks.
The following are the different types of notifications that can be selected for Notification Policies.
Executive Summary Report
The executive summary report will show you the results score for each of your cloud accounts, and compare it to the previous results (in the previous report). It will also show an aggregated result for all your accounts. It is sent by email.
The detailed report will show you, in addition to the information in the summary report, details for each failed test. it will also show new or changed findings since the previous report, and list findings from previous reports that have been resolved. This will provide a complete picture of the compliance posture of your cloud environments, and an indication of progress towards resolving open issues. It is sent by email.
Notification Policies indicate what compliance results findings are sent out, when and how they are sent out, and to whom. You can create any number of policies, and associate them with any bundle or cloud account, to customize the notification of compliance issues according to your needs.
Navigate to the Notifications page in the Alerts and Notifications menu. This shows a list of all your Notification Policies.
Click ADD NOTIFICATION.
Enter a name and description for the policy.
- Select the notification options for the policy, as follows:
Alerts Console - each finding for this policy will be sent to the Alerts page (in Notifications, in the Administration menu)
Scheduled Report - a report will be sent to email recipients regular periods. Select the time and frequency of the report, and the type (summary or detailed). Enter a list of email recipients for the report.
- Immediate Notification - a notification will be sent for each new or changed finding. Select the type of notification.
For email notifications, enter a list of email recipients.
- For SNS notifications, enter the ARN for the AWS SNS topic, and select the format for the notification:
JSON - Full entity includes details of the finding, and full attributes (as maintained in Dome9) for the entity in the finding, in JSON format
JSON - Basic entity includes details of the finding, and a few attributes for the entity (such as the entity id), in JSON format
Plain text - like the Basic entity, but in plain text format.
Click Send test message to test the connection
- For HTTP Endpoint notifications, enter the URL for the endpoint, and select the authentication that is used. For Basic authentication, enter also the username & password. Select also the format of the notification:
JSON - Full entity - this is the default selection
Splunk - JSON - select this for Splunk endpoints
Notifications to HTTP endpoints will be issued from one of these fixed IP addresses:
18.104.22.168, 22.214.171.124, or 126.96.36.199
Self-signed certificates are not supported for HTTP Endpoints.
Security Management Systems - notifications will be sent to a security management system, such as the AWS Secure Hub or the GCP Security Command Center (see here for details on how to integrate these systems with Dome9)
- Issue Management Systems - send notifications to external ticketing systems, such as PagerDuty.
Check Ticketing System, and select the system from the list.
- Enter connection details for the selected system:
PagerDuty - the Routing API Key
Click Create. The new policy will appear in the list of policies.
To add another policy, click +Add new policy. This will clear all the fields, after which you can enter details for a new policy.
You can configure Notification Policies to send compliance results as scheduled email reports. These can be detailed reports, or executive summaries. For both options, the report contains all findings in the assessed accounts, and compares the overall results with the previous report. Reports can be configured to be generated daily, weekly, and monthly.
The summary report shows the number of passed and failed tests, and the overall score for the assessment. The overall score is the percentage of passed tests, where a test is the application of a rule to a cloud entity (such as an instance or an S3 bucket) in the account. The results are based on the most recent assessment at the time the report is generated. The report shows the results for the previous report as well, for comparison.
The report also shows a breakdown per account.
The detailed report shows the summary information as well as a detailed list of findings.
You can manually force all findings for a compliance policy to be sent to the notification targets attached to the policy. This can be useful if you need to sync all the findings.