Notifications

Notifications show how and when notifications of findings are sent.

Notifications are included in all types of policies to issue messages of findings of misconfiguration and threats. You can use the same notification for different types of policies. In addition, more than one notification can be included in a policy to point findings to multiple targets.

Notification Types

Notifications have different ways to indicate new findings. This includes email reports, compliance reports, SNS notifications, and messages to external ticketing systems such as ServiceNow, JSONClosed JavaScript Object Notation. A lightweight data interchange format., Sumo Logic, PagerDuty, or Jira with HTTP endpoints.

You can select these types of reports for Notifications:

  • Summary Report shows you the results score for each of your environments and compares it to the results in the previous report. In addition, it shows an aggregated result for all your accounts. It is sent by email.

  • Executive Summary Report allows you to see the status of your environments and assets based on the results of the last assessment. This report focuses on a specific ruleset and its assessment results in multiple environments on one cloud platform. It presents this information:

    • The environments with the highest number of severity findings

    • The distribution of assets that passed or failed the test

    • The test score

    • The number of failed tests sorted by the rule severity

  • Detailed Report shows you, in addition to the information in the summary report, details for each failed test. It shows new or changed findings because the previous report and lists findings from previous reports that were resolved. This provides a complete picture of the compliance posture of your cloud environments and an indication of progress in resolving open issues. It is sent by email.

How to Configure a Notification

Notifications show what compliance findings are sent out, when and how they are sent out, and to whom. You can create many notifications and associate them with a ruleset or environment to customize the notification of Posture Management issues based on your needs.

Note - In June, 2024, Check Point is deprecating some API methods for configuring notifications. For more information, see the CloudGuard API Reference Guide.

Each notification destination has a unique set of parameters. You can configure each destination separately before configuring the notification or create its new configuration in line with creating or editing a notification. All configurations are available on the destination page under Settings > Configuration > Integrations.

  1. Navigate to Settings > Configuration > Notifications.

    A list of notifications appears.

  2. Click Add.

    The Create New Notification window opens.

  3. Enter a Name and Description for the notification.

  4. To send findings for this notification to the Events pages, in the CloudGuard Alerts section select Include in CloudGuard Events pages.

  5. To schedule CloudGuard to send reports, in the Schedule Report section select Email scheduled reports and fill the relevant fields.

  6. To send new or changed findings immediately to one or more of the given destinations:

    1. Select a notification type in the Immediate Notification section. Use the filter bar to narrow down the findings range by selecting Entity Name, Entity IDs, Tags, and Severity as filter criteria.

    2. Select a configuration of the notification type. If a configuration does not exist, create a new configuration.

      Note - It is not possible to select more than one configuration of the same notification type. For example, is not possible to select more than one email configuration.

    3. Optional - Select more notification types and configurations.

  7. Click Save.

    The new notification appears in the list of notifications.

Actions

You can use entity tags or KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. labels as filtering criteria in the notifications to select specific findings or send them to specific groups. The Kubernetes labels are stored as asset tags.

Use Case

CloudGuard sends an email notification to a related team or team member when a posture finding is discovered based on the configured entity tags or labels.

To configure notifications by tags (in Kubernetes, by labels):

  1. Navigate to Settings > Configuration > Notifications and click Add.

  2. Start to configure the notification as in How to Configure a Notification.

  3. In the filter bar, click the icon and expand Tags.

  4. Enter Key and Value for the label. For example, set owner for Key and devops-team for Value.

  5. Configure other parameters such as email address (Schedule Report > Email scheduled report) and save the notification.

  6. Configure Continuous Posture with the new notification. See Continuous Posture.

When the Compliance engine or Image Assurance discovers a finding related to the entities with the label owner: devops-team, an email notification is sent to the specified email address.

You can manually push all findings for a compliance policy to the notification targets attached to the policy. This is useful if you need to test or synchronize integrations with external systems.

  1. From the left menu click CSPM > Continuous Posture.

  2. Select the policy that you want to synchronize and click Send all alerts.

  3. Select the notification type and name from those attached to the policy and click Send.

Misconfigured Notifications

CloudGuard can block notifications for Continuous Posture if it finds the notification misconfiguration or incorrect functioning.

If the Compliance Engine encounters several failures when it sends a finding to a Notification target (for example, an SNS queue or an HTTP endpoint), it blocks the target for a period of six hours. During this time, CloudGuard does not send notifications to this target. It does not block other targets in the same notification. After six hours, the engine automatically removes the block but applies it again immediately if different failures occur.

To resolve a misconfigured notification:

  1. In CloudGuard, navigate to Settings > Notifications.

    The Status column shows notifications that have problems.

  2. Click the notification name to open it.

    The problem is highlighted in red.

  3. Resolve the problem with the target and click Validate.

    CloudGuard validates the channel and removes the red highlight.