Notifications

CloudGuard can send notifications in an email or through an integration with a third-party platform. Notifications show CloudGuard findings and security scores that CloudGuard assigns to your environments.

Note -

  • The Code Security feature has its own third-party integrations and sends its own notifications. To configure Code Security to send notifications, see Code Security Integrations.

  • The Toxic Combinations feature sends its own notifications. The Toxic Combinations feature uses the same third-party integrations as other CloudGuard features. Only some third-party integrations are supported for Toxic Combinations. For more information, see Action Hub.

Notification Types

You can send these types of notifications:

  • Summary Report shows you the security score for each of your environments and compares it to the results in the previous report. In addition, it shows an aggregated result for all your accounts.

  • Executive Summary Report shows the status of your environments and assets based on the results of the last test that CloudGuard performed. This report focuses on a specific ruleset for multiple environments on one cloud platform. The report includes:

    • The environments with the highest number of severity findings

    • The distribution of assets that passed or failed the test

    • The test score

    • The number of failed tests, sorted by the severity of the rule

  • Detailed Report shows details for each failed test. It also shows the current status of findings from the previous report. This provides a complete picture of the compliance posture of your cloud environments and an indication of progress in resolving open issues.

  • Immediate Notification sends information about a specific finding immediately after CloudGuard generates the finding.

How to Configure a Notification

  1. In the CloudGuard UI, from the left menu, click Integration Hub.

  2. Click the external service you want to integrate (for example: Microsoft Teams).

    A sliding window opens.

  3. In the sliding window, click Add.

  4. Enter the required information from the external service.

  5. Click Save.

For more information, see Integration Hub.

Note - The Toxic Combinations feature sends its own notifications. Notifications for Toxic Combinations do not need to be added to a policy. To configure Toxic Combinations to send notifications, seeAction Hub.

  1. Navigate to Settings > Configuration > Notifications.

    A list of notifications appears.

  2. Click Add.

    The Create New Notification window opens.

  3. Enter a unique Name and a Description for the notification.

  4. To schedule CloudGuard to send scheduled reports, in the Schedule Report section select Email scheduled reports and fill the relevant fields. To schedule CloudGuard to send reports on a custom schedule, see Appendix: How to schedule reports on a custom schedule

  5. To configure CloudGuard to send information findings as soon as CloudGuard detects changes in your environment:

    1. In the Immediate Notification section, select a notification type. Use the Filter bar to send notifications only about certain kinds of findings. For example, you can create an immediate notification only for Critical findings.

      Note - Some notification types apply for all findings (for example: Email notification per newly created finding). Other notification types apply only to specific types of findings (for example: CSPM- Summary report to Teams channel applies only to CSPM findings).

    2. Select a configuration of an integration.

      Note - If there is no configuration of a specific integration (for example: there is no configuration of a Microsoft Teams integration), from the dropdown menu select Add new configuration. Then, create the configuration in the sliding window. For more information, see Integration Hub.

      Note - It is not possible to select more than one configuration of the same integration type. For example, it is not possible to select more than one Microsoft Teams configuration.

    3. Optional - Select more notification types and integrations to add to the notification..

  6. Click Save.

    The new notification appears in the list of notifications.

  1. From the left menu, navigate to one of these screens:

    • CSPM > Continuous Posture

    • CIEM > Policies

    • Workload Protection > Admission Control > Policies

    • CDR > Manage Policies

  2. Do one of these:

    • To create a new policy, in the top right click Add Policy > select the policy type.

    • To edit a policy, select the checkbox to the left of the policy > click Edit.

    The Add Policy or Edit Policy wizard window opens.

  3. Optional - To create a new notification, in the Notifications Selection step of the wizard, click Add Notification. In the Create New Notification window that opens, follow the procedure in Step 2: Create a notification.

  4. In the Notification Select step of the wizard, select one or more notifications.

    Important - Select only notifications that are relevant to the policy. For example, CIEM Notifications - Email is relevant to CIEM, but it is not relevant to CSPM.

  5. Finish the wizard.

In the Create New Notification window > Schedule Report section, you can use the dropdown menus to configure CloudGuard to send reports daily, weekly, or monthly at a specific time of day. You can use a cron expression to configure CloudGuard to send reports on a custom schedule.

A 7-digit cron expression contains seven fields. To leave a field blank, enter an asterisk (*).

Cron Expression Fields (from left to right)

Field

Allowed Values

Second

0-59

Minute

0-59

Hour

0-23

Day of Month

1-31

Month

1-12

Day of Week

0-6

Year

1970-2099

Cron Expression Special Characters

Special Character

Meaning
*

Any value

,

Separates a list of values

-

Range of values

Cron Expression Examples

Example

Meaning

0 0 * * * * *

Sends a report at the beginning of every hour

0 0 9 * * * *

Sends a report every day at 09:00:00 UTC.

0 30 16 * * 1-5 *

Sends a report from Monday through Friday at 14:30:00 UTC.

0 0 11 * * 6,0 *

Sends a report on Saturdays and Sundays at 11:00:00 UTC.

To use a Cron Expression to schedule a report:

  1. In the Create New Notification window > Schedule Report section, select Custom.

  2. In the Enter cron expression field, enter a cron expression.

  3. Finish configuring the notification.

Sending All Alerts

You can manually send all reports and notifications for a policy immediately. This is useful to do a security investigation or to test integrations. The Send all alerts action is supported for these policies:

  • CSPM > Continuous Posture

  • Workload Protection > Admission Control > Policies

  • Workload Protection > Vulnerabilities > Policies

  1. In the CloudGuard UI, navigate to one of the supported policies.

  2. Select the policy that you want to synchronize and click Send all alerts.

  3. Select the notification type and name from those attached to the policy and click Send.

Broken Notifications

If CloudGuard detects a misconfiguration or failure in an integration, it blocks the integration for six hours. After six hours, CloudGuard tries to send new notifications to the integration. Then, if CloudGuard detects a misconfiguration or failure, it blocks the integration again.

  1. In the CloudGuard UI, navigate to Settings > Configuration > Notifications.

    The icon appears in the Status column to show that a notification is misconfigured.

  2. Click the name of the notification to open it.

    The problem is highlighted in red.

  3. Click Open Configuration.

    A sliding window opens for the integration (for example: Microsoft Teams).

  4. Select the relevant configuration of the integration (for example: a Microsoft Teams configuration that you named teams_integration_1).

  5. Click Test.

    If the test fails, an error message describes the problem.

  6. Fix the problem.

    CloudGuard test the integration.

  7. After a successful test, click Save.

  8. In the notification window, click Validate.

  9. Click Save.