Notifications

Notifications show how and when notifications of findings are sent. You can select to send Findings by secure email, AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. SNS, or forward them to the Events dashboard.

Notifications are included in all types of policies to issue messages of findings of misconfiguration and threats. You can use the same Notification for different types of policies. In addition, more than one Notification can be included in a policy to point findings to multiple targets.

Notification Types

Notifications have different ways to indicate new findings. This includes email reports, compliance reports, SNS notifications, and messages to external ticketing systems such as ServiceNow, JSONClosed JavaScript Object Notation. A lightweight data interchange format., Sumo Logic, PagerDuty, or Jira with HTTP endpoints.

You can select these types of reports for Notifications:

  • Summary Report shows you the results score for each of your environments and compares it to the results in the previous report. In addition, it shows an aggregated result for all your accounts. It is sent by email.

  • Executive Summary Report allows you to see the status of your environments and assets based on the results of the last assessment. This report focuses on a specific ruleset and its assessment results in multiple environments on one cloud platform. It presents this information:

    • The environments with the highest number of severity findings

    • The distribution of assets that passed or failed the test

    • The test score

    • The number of failed tests sorted by the rule severity

  • Detailed Report shows you, in addition to the information in the summary report, details for each failed test. It shows new or changed findings because the previous report and lists findings from previous reports that were resolved. This provides a complete picture of the compliance posture of your cloud environments and an indication of progress in resolving open issues. It is sent by email.

Misconfigured Notifications

CloudGuard can block notifications for Continuous Posture if it finds the notification misconfiguration or incorrect functioning.

If the Compliance Engine encounters several failures when it sends a finding to a Notification target (for example, an SNS queue or an HTTP endpoint), it blocks the target for a period of six hours. During this time, CloudGuard does not send notifications to this target. It does not block other targets in the same notification. After six hours, the engine automatically removes the block but applies it again immediately if different failures occur.

To resolve a misconfigured notification:

  1. Navigate to Settings > Notifications. The Status column shows notifications that have problems.

  2. Click the notification name to open it and see the details of the problem:

  3. Resolve the problem with the target and click Validate. CloudGuard validates the channel and clears the block.

How to Configure a Notification

Notifications show what compliance findings are sent out, when and how they are sent out, and to whom. You can create many notifications and associate them with a ruleset or environment to customize the notification of Posture Management issues based on your needs.

  1. Navigate to the Notifications page in the Settings menu. This shows a list of all your Notifications.

  2. Click Add Notification. The Create New Notification window opens.

  3. Enter a name and description for the notification.

  4. Select the notification options:

    • Alerts Console - Send findings for this notification to the Events page.

    • Scheduled Report - Send a report to email recipients at regular periods (for Compliance and Intelligence events only). Select the time, frequency, type of report, and a list of email recipients for the report. You can set a custom schedule. For this, enter a cron expression.

      Report types:

    • Add Filter - Select the events applicable to this notification. You can select Entity Names, Entity IDs, Tags, and Severity as a filter criteria.

      Note - Use % as a wildcard for Entity Names and Entity IDs filters, for example "%son", "son%", or "%son%".

    • Immediate Notification - Send new or changed findings immediately to one or more of the given destinations:

      • Email notifications - By email, to a list of email recipients. You can receive a report with changes from the previous assessment or get a message for each finding.

      • SNS notifications - To an AWS SNS topic; enter the ARNClosed Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. for the AWS SNS topic and select the format for the notification:

        • JSON - Full entity includes details of the finding and full attributes (as CloudGuard maintains) for the entity in the finding, in JSON format

        • JSON - Basic entity includes details of the finding and several attributes for the entity, such as the entity ID, in JSON format

        • Plain text includes details of the finding and several attributes for the entity, such as the entity ID, in TXT format

        After you enter the ARN, click Send Test Message to test the connection.

      • HTTP Endpoint - To an HTTP endpoint for third-party applications.

        Enter the URL for the endpoint, select the authentication procedure and, for Basic authentication, enter the username and password.

        Select the format of the notification from these options:

        • JSON - Full entity - For a third-party application.

        • Splunk - JSON - For Splunk endpoints.

        • ServiceNow - For ServiceNow endpoints.

        • Sumo Logic - For Sumo Logic.

        • Jira - For Jira.

        Select Ignore certificate validation if you work with self-signed certificates. This state is typical only for development and integration environments and is not recommended for production environments.

        Notifications to HTTP endpoints are issued from one of these fixed IP addresses: 3.232.156.115, 52.70.61.156, or 3.231.193.67

      • Slack channel - Send a report summary to a Slack channel.

      • Teams channel - Send a report summary to a Teams channel.

        Note - You can use Slack and Teams channel destinations for Compliance events only.

    • Security Management Systems - Send notifications to a security management system, such as the AWS Security Hub or the GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. Security Command Center.

    • Issue Management Systems - Send notifications to an external ticketing system, such as PageDuty.

      • Select PagerDuty.

      • Enter the Routing API Key.

  5. Click Save. The new notification appears in the list of notifications.

Actions

You can use entity tags or KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. labels as filtering criteria in the notifications to select specific findings or send them to specific groups. The Kubernetes labels are stored as asset tags.

Use Case

CloudGuard sends an email notification to a related team or team member when a posture finding is discovered based on the configured entity tags or labels.

To configure notifications by tags (in Kubernetes, by labels):

  1. Navigate to Settings > Notifications and click Add Notification.

  2. Start to configure the notification as in How to Configure a Notification.

  3. In the filter area, click Add Filter and select Tags.

  4. Click Tags and Add Tag.

  5. Enter Key and Value for the label, for example, set owner for key and devops-team for value.

  6. Configure other parameters such as email address (Immediate Notification > Email Report) and save the notification.

  7. Configure Continuous Posture with the new notification.

When the Compliance engine or Image Assurance discover a finding related to the entities with the label owner: devops-team an email notification is sent to the specified email address.

Summary Report

The summary report shows the number of passed and failed tests, and the overall score for the assessment. The overall score is the percentage of passed tests, where a test is the application of a rule to a cloud entity (such as an instance or an S3 bucket) in the account. The results are based on the most recent assessment at the time the report is generated. The report shows the results of the previous report, which you can use for comparison.

In addition, the report shows a summary of each account.

Detailed Report

The detailed report shows the summary information and a detailed list of findings.

You can manually push all findings for a compliance policy to the notification targets attached to the policy. This is useful if you need to test or synchronize integrations with external systems.

  1. Go to Posture Management > Continuous Posture.

  2. From the menu of the policy that you want to synchronize, select Send all alerts.

  3. Select the notification type and name from those attached to the policy and click Send.