Skip to main content

Alerts

In order to receive alerts a user needs to set up their personal alerts as described in Configuring personal alerts.

In order to send alerts to various recipients, configure alerting rules as described in Configuring alert rules

Configuring personal alerts

Use the personal alerts configuration screen to set up alerts that you will receive via direct messages. Configure and enable this under the User icon in the upper right, select User Settings | Integrations. Any alert that is sent to the "All Users" channel will go to you CSPM Alerts channel(s) that you enable (Email, Slack, Teams). You will need to follow the instructions to your authorize Slack or Teams identity to Cloud Defense. You can also enable and disable the daily summary from this screen.

Configuring alert rules

You can configure and create alert rules under Findings | Alerts. Create new rules here to alert on specific findings or events. For example, you want to alert "All Users" - the default target - for Critical and High findings in Prod Environments. You can also target specific users or channels.

Understanding SNS Alert Messages

When configuring alerts to be sent to an Amazon SNS topic, it's important to understand the structure of these messages. The SNS Message is stringified JSON containing key information about the alert and the event that triggered it.

Message Structure

  • Alert (alert): Contains details about the alert configuration.
    • Fields include: accountIds, alertAllUsers, channels, name, type, etc.
  • Check Result (event): Specifics of the check result triggering the alert.
    • Fields include: accountId, checkId, severity, reason, result, etc.

Parsing the Message

  • The message is stringified JSON and needs to be parsed to access the alert and event data.
  • Example parsing in JavaScript: 
    const message = JSON.parse(snsMessageString);
    const alert = message.alert;
    const event = message.event;

Sample SNS Message

To provide a clearer understanding of how alerts are structured when sent via Amazon SNS, below is a sample SNS payload. This example illustrates a typical payload format as communicated to an HTTP endpoint.

{
  "Type": "Notification",
  "MessageId": "11111111-2222-3333-4444-555555555555",
  "TopicArn": "arn:aws:sns:us-west-2:123456789012:example-topic",
  "Subject": "Alert Notification",
  "Message": "{alert: {...},event:{...}",
  "SignatureVersion": "1",
  "Signature": "EXAMPLEpH+..=",
  "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-11111111111111111111111111111111.pem",
  "UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:example-topic:11111111-2222-3333-4444-555555555555"
}

Below is an example of a mock SNS message, represented by the Message property in the payload example above.

{
  "alert": {
    "accountIds": ["123456789012"],
    "alertAllUsers": true,
    "channels": [
      {
        "type": "Email",
        "address": "[email protected]"
      }
    ],
    "checkIds": ["check-001", "check-002"],
    "environments": ["Prod", "Dev"],
    "id": "alert-1234",
    "name": "High Severity Alert",
    "projectIds": ["proj-123", "proj-456"],
    "recipientUserIds": ["user-123", "user-456"],
    "results": ["Passed", "Failed"],
    "severities": [1, 2],
    "snsTopicArns": ["arn:aws:sns:us-west-2:123456789012:example-topic"],
    "type": "InventoryItemCheckResult"
  },
  "event": {
    "accountId": "123456789012",
    "checkId": "check-001",
    "checkName": "Example Check",
    "checkOverview": "Verifies security compliance..",
    "clientId": "client-123",
    "cloudAccountEnv": "Prod",
    "cloudAccountId": "cloud-123",
    "cloudAccountLabels": ["critical", "security"],
    "cloudAccountName": "Cloud Account 1",
    "cloudService": "AWS",
    "createdAt": "2023-08-23T10:00:00Z",
    "exemptions": [],
    "id": "result-123",
    "inventoryItem": "{...}", // If present, this is a JSON object
    "itemId": "item-123",
    "itemType": "EC2 Instance",
    "output": "{...}", // If present, this is a JSON object
    "outputMarkdown": "### Check Results\n* Compliance: Passed\n* Issues: None",
    "parentPath": "/aws/ec2/instances",
    "reason": "Instance is compliant with security standards.",
    "region": "us-west-2",
    "relatedControls": ["Control-1", "Control-2"],
    "relatedRequirements": ["Req-1", "Req-2"],
    "result": "Passed",
    "severity": 2,
    "vendor": "AWS"
  }
}

Please be aware that certain fields within the SNS message are optional and may not be present in every message. However, there are key fields that are required and will always be present.

The required fields in the alert object include:

  • id: A unique identifier for the alert.
  • name: The name of the alert.
  • type: The type of alert.

The required fields in the event object include:

  • accountId
  • checkId
  • clientId
  • cloudAccountId
  • createdAt
  • id
  • itemId
  • itemType: The resource item type, for example, S3::Bucket.
  • region