Integration with Microsoft Teams

Sending Report Summary to Teams Channel

You can configure CloudGuard to send summaries to Teams with a HTTP webhook.

Teams Configuration

  1. In Teams, create a new channel.

  2. From the Channel menu , select Connectors.

  3. From the list of connectors, select Incoming Webhook and click Add.

  4. In the new window, click Add again.

  5. Enter the webhook name, for example, "webhook" and click Create.

  6. From the URL field, copy the URL address of the webhook and click Close.

    The Teams channel informs you that you have a connection to the Incoming Webhook.

CloudGuard Configuration

  1. In CloudGuard, navigate to Settings > Configure > Notifications and click Add Notification.

  2. Enter the applicable options as described in Notifications.

  3. In the Immediate Notification section, select Send report summary to Teams channel. The field for the Teams webhook URL opens.

  4. Paste the URL address from Teams to the field.

  5. Click SAVE.

  6. From the Posture Management menu, navigate to the Continuous Posture and add a new Policy with the Notification created in the previous steps.

  7. To make sure that CloudGuard sends notifications to the channel, from the menu of the newly created policy, select Send all alerts.

  8. In the Send All Alerts box that opens, below Notification Type, select Teams Channel and click Send.

  9. You can see that CloudGuard sends the notification to your Teams channel. It includes the summary and a maximum of seven of the most critical alerts.

Sending Notifications to Teams Channel through SNS

Caution - Depending on the size of your environment and the number of notifications that you receive from CloudGuard, Teams may flag the notification traffic as a DDoS event and block the traffic. For large environments, it is recommended to use Sending Report Summary to Teams Channel instead.

  1. In the Teams application, click Teams on the left-hand pane.

  2. Click the + button and select Create team.

  3. Select From scratch in the top, select the desired privacy, and set a name for the team.

  4. Navigate to the General chat under your new team, click the More options … icon, select Connectors.

  5. Add Incoming Webhook.

  6. Configure Incoming Webhook: go back to the More options … icon and select Connectors.

  7. Set a name for the Webhook and click Create.

  8. Copy the Webhook URL to use it in the next step.

  1. Navigate to the AWS console, search for Lambda, and click Create function on the top right.

  2. Set a name for the function, change Runtime to Python 3.11 (or the latest supported version).

  3. Set Architecture to x86_64.

  4. Click Create function.

  5. Navigate to Code source and replace the existing Python code with the code snippet below. Make sure to replace the default URL (line 7) with your Webhook URL, then click Deploy.

  6. Select Copy ARN to use it in the next step.

Copy 
import urllib3
import json

http = urllib3.PoolManager()

def lambda_handler(event, context):
   url = "your webhook here"
   msg = {
      "text": event['Records'][0]['Sns']['Message']
   }
   encoded_msg = json.dumps(msg).encode('utf-8')
   resp = http.request('POST', url, body=encoded_msg)
 
   print({
      "message": event['Records'][0]['Sns']['Message'],
      "status_code": resp.status,
      "response": resp.data
   })

  1. Navigate to portal.checkpoint.com and select CloudGuard.

  2. Navigate to Settings > Configuration > Integrations.

  3. SNS is disabled by default, select Enable.

  4. Follow the instructions and copy the environment ID.

  5. Leave this window open to complete it after you create an SNS topic.

  6. Navigate to the AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. console, search for sns, select it, navigate to Topics in the right-hand pane, and click Create topic.

  7. Select Standard and set a name for the topic.

  8. Navigate to Access policy - optional.

  9. Below Publishers, select Only the specified AWS accounts from the menu and paste the environment ID from step 4.

  10. Select Create topic.

  11. Copy the ARNClosed Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. and paste it into the AWS SNS Events integration window that you have open in CloudGuard.

  12. Click SAVE.

  1. Back in CloudGuard, navigate to Settings > Configure > Notifications.

  2. Click the notification name (or create a new one) where you want to configure SNS integration.

  3. Below Immediate Notification, select the option SNS notification for each new finding as soon as it is discovered.

  4. Paste your AWS SNS ARN and click Save.

Best Practices:

  • Depending on the size of your environment you may want to filter the notifications sent to Teams. You can add a filter in Step 4 when you configure the notification. It is recommended to filter notifications by severity (Critical & High).

  • It is recommended to utilize the built-in summary report functionality for Teams (Sending Report Summary to Teams Channel) if you do not need immediate Teams notifications for individual events.