X

Cloud Security Perspectives and Insights

Quick Tip #4 - Setting up notifications for Oracle Cloud Guard in 3 easy steps

Paul Toal
Distinguished Solution Engineer - Cyber Security

In my latest quick tip, I am going to show you, in 3 quick and easy steps, how to use Oracle Cloud Infrastructure(OCI) native notifications and events services to send alerts from Oracle Cloud Guard. Here are the three steps you will need to follow:

  1. Configure Slack (If you are using Slack)

  2. Configure OCI Notifications

  3. Configure OCI Events

Before we get started, in case you aren’t familiar with Cloud Guard, you can read more about it in my recent blog posts, here and here. To summarise, Cloud Guard helps you to maintain your security posture within your OCI environment by identifying a weakened security configuration (i.e. problems) and giving you the option to automatically remediate them.

Within Oracle Cloud Guard, when it identifies a problem, it can send an alert. This is done using the OCI Notifications and Events services. This is a great capability as it gives you all the power of those two services. For example, the Notifications service can be configured to send alerts to a range of different targets, including:

  • email
  • OCI Function
  • Slack
  • PagerDuty
  • HTTP (custom URL)

These alerts can be sent for a number of different activities within Oracle Cloud Guard. These are:

Problems – Cloud Guard monitors registered targets for weak secure posture. When it finds an issue, it creates a “Problem” within Cloud Guard, which can be sent as an alert, as shown in the example in this article.

Remediation – When Cloud Guard finds a problem you can configure it to automatically address the issue through a remediation policy. An alert can be sent when a remediation step is taken.

Target information – Cloud Guard tracks information on registered targets. For OCI, this means compartments. Alerts will be sent when Cloud Guard throttles certain activities. For example, this could be if a detector rule is generating too many unnecessary problems or false positives due to its configuration.

In this article, I will walk you through how to create two notifications for Cloud Guard. The first will send all CRITICAL problems from Cloud Guard to Slack, and the second will send all suspicious activity against a target to email.

Before we start, I am assuming that you have already enabled Oracle Cloud Guard and have configured one or more targets with some detector and responder recipes assigned.

Note: One extremely important point to note is that you MUST configure the following setup within your Cloud Guard reporting region. When you first enable Cloud Guard, you select the region where you want all data for Cloud Guard to be sent. You can see below that I selected Frankfurt. Therefore, all of the below OCI notifications and events configuration must be completed within the Frankfurt region.

                                          

Step 1 – Configure Slack

Since we will be using Slack as our notification channel for our first use case, the first step is to prepare Slack. The OCI notifications service uses Webhooks to talk to Slack. Therefore, you must configure your Slack workspace to enable the incoming Webhook. This is fully documented within the Slack documentation here.

Having followed those steps, I now have a new app defined within Slack.

                                                          

Within that app, I have a Webhook URL, which will post to a channel I have created within my workspace called #cloudguard-notifications.

                                                       

 

Step 2 – Configure OCI Notifications

The next step is to configure OCI notifications with all of the channels that you will be sending notifications to. Within your OCI console, navigate to Application Integration -> Notifications.

                                                 

Within Topics, ensure you have chosen your desired compartment, then choose .

Note: Whilst you can add multiple channels (i.e. subscriptions) to the same topic, I would only recommend doing that if you want to send the same events to multiple channels, e.g. if you wanted to send CRITICAL events to both email and Slack. Otherwise, I would create separate topics for each channel, as we will do in this quick tip.

Give your topic and name and optional complete a description, before clicking .

Your topic will be set to Active.

Click on the name of your topic, e.g. CGNotifications-slack to view the topic details, then click on to add a new subscription. Select Slack as the protocol and paste the Webhook URL you obtained from your Slack configuration in step 1, before clicking .

Your subscription will be created in a PENDING state until you have confirmed in the target channel that you wish to accept the subscription.

Back in Slack, check the channel that you confirmed as the target within your Webhook configuration and you will see a message similar to the one below.

Click the link to activate the subscription and your subscription will change to ACTIVE within OCI.

This completes the Slack notification setup. The next action is to repeat step 2 to create a new Topic, this time for email. Add a new email-based subscription, entering your email address and confirming your subscription through the email you will receive from OCI.

When you have completed this step, you should have two topics, and two subscriptions, all of which should be active.

Step 3 – Configure OCI Events

The final step is to configure the OCI Events so that CloudEvents received from Cloud Guard can be mapped to the notifications you have created above. Within OCI, use the menu to access Application Integration -> Events Service.

                    

From within the Events Service, ensure you are in your required compartment, then click .

Follow the screenshot below to create a new rule that matches Detected – Problem event types from Cloud Guard where the riskLevel attribute equals CRITICAL. The action to take is to send a notification to the Slack topic you created earlier.

Once completed, you will see your new rule has been created and is active.

Create a second rule to capture any suspicious IP activity against a target and send that to email.

You have completed the setup of the events and should see two rules within your Events Service.

Now, whenever either of those events occurs in Cloud Guard, you will receive the appropriate notification. You can use exactly the same approach to send alerts for the third kind of Cloud Guard event types; remediated problems.

Below is an example of the Slack notification being received for a CRITICAL event.

I hope this quick tip has been useful. I have recorded the above setup, which you can watch by clicking the link image below. 

Don't forget, if you want to learn more about Oracle Cloud Guard and get information on how to enable it within your OCI tenancy at no additional cost, you can get more information here.

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.