Use the Events and Notifications services to send notifications, whenever Cloud Guard detects a problem for which you want to be notified.
Prerequisite: If you want to configure notifications to be sent through Slack, create a Webhook for the Slack channel to receive the notifications before proceeding with the steps in the Cloud Guard Events topic that follows. See Slack documentation.
Note
If you are processing problems entirely within Cloud Guard, you do not need to configure
notifications.
Cloud Guard provides a notification responder, Cloud
Event, that can emit problem details to the Events service. The Cloud Event
responder rule is part of the Responder recipe, which needs to be attached to a
corresponding target or targets. The Cloud Event rule is enabled by default. The
Cloud Event responder does not require other IAM policies and is configured to
execute automatically.
Emitting from Cloud Event to the Events service allows for integration with the
Notifications service, which can push notifications to:
You must set up Events and Notifications from your Cloud Guard Reporting Region, which aggregates problems from the monitored regions and sends out the Cloud Event from the Reporting Region.
Use the Events and Notifications services to send notifications through email or
Slack, whenever Cloud Guard detects a problem for which you
want to be
notified.
Note
To add notifications for more than one event type, perform all the following steps
for the first notification, then repeat steps 3 and 4 for each additional
notification.
In Cloud Guard, ensure that the Cloud Event
rule is enabled for the responder recipe for which you want to receive
notifications.
Open the navigation menu and click Identity & Security. Under Cloud Guard, click
Recipes. On the Recipes page, click Responder Recipes.
Click the name of the recipe for which you want to configure
notifications.
On the Recipe Details page for the responder
recipe, in the Responder Rules section, locate the row for the
Cloud Events rule.
If the entry in the Status column for the Cloud Events
rule is Disabled:
Open its Actions menu and select
Edit.
In the Edit Responder Rule dialog box, drop down the
Status list and select Enabled.
Click Save.
In Cloud Guard, ensure that the target for
which you want to receive notifications has the user-managed (cloned) responder
recipe that you just checked attached, with automatic execution enabled.
Open the navigation menu and click Identity & Security. Under Cloud Guard, click
Configuration. On the Configuration page, click Targets.
On the Targets page, in the Target Name column, click the
name of the target covering the compartments for which you want to
receive notifications.
On the details page for that target, under Resources on the
left, click Detector Recipes.
If the name of the responder recipe appears under Recipe
Name, it is already added.
If there is nothing listed under Recipe Name, click
Add Recipe and select the responder recipe to
add.
If a different responder recipe appears under Recipe
Name:
Open its Actions menu and select
Remove, then confirm the removal.
Click Add Recipe and select the responder recipe
to add.
Ensure that the Cloud Event responder rule is enabled and set to
execute automatically:
Under Recipe Name, click the link for the responder
recipe.
On the details page for the responder recipe, in the
Responder Rules section, locate the row for Cloud
Event responder rule.
In that row, open its Actions menu , and select
Edit.
In the Configure Responder Rule dialog box,
Setting section, check the Rule Trigger
setting.
If Rule Trigger is set to Ask me before executing
rule:
Select Execute
Automatically.
Select the CONFIRM EXECUTE AUTOMATICALLY checkbox.
Click
Save.
In the Notifications service, create a topic.
From the Oracle Cloud menu, select Developer Services,
then click Application Integration, then click
Notifications.
On the Topics page, click Create Topic.
In the Create Topic panel:
Enter a Name for the topic.
Avoid entering confidential information.
Optional: Enter a Description for the topic.
Avoid entering confidential information.
Optional: Specify tagging information.
Click Create.
The topic you created appears in the list on the Topics page.
Create a subscription to the topic.
On the Topics page, in the Name column, click the name of
the topic you created.
On the details page for the topic, under Resources, click
Create Subscription.
In the Create Subscription panel:
Set Protocol for email or Slack notification:
Email:
Set Protocol to Email.
Enter the email address that should receive the notifications.
Slack:
Set Protocol to Slack.
For URL, enter the URL for your Slack Webhook.
Specify tag information for one or more tag namespaces.
Click Additional Tag to specify tag information for another tag namespace.
Click Create.
The details page for the subscription you just created appears:
The large "T" icon is orange, with "Pending" under it.
The Subscription Information tab displays "Pending confirmation" just below the tab title.
When you receive the subscription confirmation email, click the Confirm Subscription link in the body of the message.
An Oracle Cloud Infrastructure page appears in your browser, indicating that your subscription is confirmed.
On the details page for the subscription you created:
The large "T" icon is green, with "Active" under it.
The Subscription Information tab no longer displays "Pending confirmation" at the top.
In the Events service, configure a rule to specify conditions under which a
notification is sent.
Ensure that you are in the reporting region of the tenancy where the
responder recipe is active.
To see the reporting region, from the Cloud Guard options panel on the left
select Settings.
To see the region that you are in, drop down the regions list at the
top of the page.
From the Oracle Cloud menu, select Observability &
Management , then click Events Service.
Under List Scope, ensure that the Compartment selected is
either the compartment where the resource exists, or a parent of that
compartment.
Click Create Rule.
On the Create Rule page, enter a Display Name for the
rule.
Avoid entering confidential information.
(Optional)
Enter a Description for the rule.
Avoid entering confidential information.
In the Rule Conditions section:
Set Condition to Event Type.
Set Service Name to Cloud Guard.
Set Event Type to the type of event for which you want to be notified.
Cloud Guard - Announcements
Cloud Guard - Status
Detected - Problem
Remediated - Problem
Problem Threshold Reached
To add an attribute filter to the rule, in the Rule Conditions section, click Another Condition.
For example, you could limit:
Cloud Guard - Announcements to only new detector rule announcements.
Cloud Guard - Status to only disabling of Cloud Guard.
Detected - Problem to only problems with risk level 4.
Note
Multiple rules are ANDed to limit the scope for which a notification is sent. To trigger a notification, all conditions must be true.
Set Condition to Attribute.
Set Attribute Name to the parameter on which you want to filter.
For example:
To Limit...
Set Attribute to...
Attribute Name entry...
Cloud Guard - Announcements to only new detector rule announcements
announcement
DETECTOR_RULE_ADDED
Cloud Guard - Status to only disabling of Cloud Guard
status
CLOUDGUARD_DISABLED
Detected - Problem to risk level 4
riskLevel
4
Cloud Guard - Announcements to only new detector rule announcements.
Cloud Guard - Status to only disabling of Cloud Guard.
Detected - Problem to only problems with risk level 4.
For example, if first item is Attribute, you might set Attribute Name to riskLevel.
Set third item to the value for the parameter on which you want to filter.
For example, if you set first item to Attribute, and then set Attribute Name to riskLevel, you might set third item to Critical.
To add another rule condition to further limit the scope for which a notification is sent, click Another Condition, then repeat the preceding substeps.
In the Actions section:
Set Action Type to Notifications.
Select the Notifications Compartment.
For Topic, select the name of the Notifications topic you created.
Click Create Rule at the bottom of the page.
The details page for the rule you created appears.
Watch for activity for the Cloud Event responder rule with status
Succeeded, on either the Problems or Responder Activity
page.
This activity confirms that the Cloud Event responder rule is being triggered
and it is creating events for that problem in the Events service.
Notifying through OCI Functions 🔗
Use the Events and Notifications services to send notifications through Oracle Cloud Infrastructure Functions, wheneverCloud Guard detects a problem for which you want to be
notified.
Familiarize yourself with Oracle Functions.
If you are working with Oracle Functions for the first time:
Use standard JSON techniques to extract the values of various fields
from within the data element.
Then use other standard manipulation techniques to perform
transformations and analyses to support whatever logic you require to
complete the function.
(Optional)
Invoke APIs for external services from inside the function to integrate
with external systems, for example:
If the riskLevel is CRITICAL,
call the public APIs for a service management system to open a
ticket, with relevant details populated from other fields in the
event envelope for the problem.
To send the entire data across for further analysis, call an
external SIEM system's APIs.
Use OCI APIs to enrich the data before sending to an external
SIEM.
If you are using JSON, the resulting function code might look something like
this:
Copy
import io
import sys
import oci
import json
#import time
from fdk import response
# This Python function creates an object in a Object Store Bucket when
# triggered by OCI Events Service with a Cloud Problem as input. The JSON
# format data for 'additionalDetails' is simply written out as content of the
# created object. This function takes two parameters:
#
# OCI_CMPT_ID - Compartment OCID of the OCI Bucket
# OCI_OBJ_BUCKET_NAME - Name of the OCI Bucket where the object will be created
#
# Object names comprise of two parts - resource Id and event Id
#
def handler(ctx, data: io.BytesIO = None):
try:
respData = {}
# Get Config
ctxConfig = ctx.Config()
# Get Data
funDataStr = data.read().decode('utf-8')
# Load JSON from String
funData = json.loads(funDataStr)
respData['RECVD_DATA'] = funDataStr
# Read the configuration parameters
ociCmptID = ctxConfig['OCI_CMPT_ID']
ociBucketName = ctxConfig['OCI_OBJ_BUCKET_NAME']
# Create Object name string
ociObjName = funData['data']['resourceId'] + '-' + funData['eventID']
# Create signer and Object Store API client
ociResPrncplSigner = oci.auth.signers.get_resource_principals_signer()
ociObjStoreSvc = oci.object_storage.ObjectStorageClient(config={}, signer=ociResPrncplSigner)
# Get 'additionalDetails' field from data
cgProblem = funData['data']['additionalDetails']
# Call function to create the object
objStoreRespStatus = storeToOCIObjStore(ociObjStoreSvc, ociCmptID, ociBucketName, ociObjName, json.dumps(cgProblem))
respData['OBJ_STORE_RESP_STATUS'] = objStoreRespStatus
except Exception as e:
respData['EXCEPTION_MESSAGE'] = str(e)
respData['EXCEPTION_MESSAGE_CLASS'] = str(e.__class__)
sys.stderr.write(json.dumps(respData))
return response.Response(ctx, response_data=json.dumps(respData), headers={'Content-Type': 'application/json'})
# This function creates an object in OCI Object in OCI Object Store
def storeToOCIObjStore(ociObjStoreSvc, cmptID, bucketName, objName, dataStr):
objStoreNS = ociObjStoreSvc.get_namespace(compartment_id=cmptID).data
objBody = io.BytesIO(dataStr.encode('utf-8'))
objStoreResp = ociObjStoreSvc.put_object(objStoreNS, bucketName, objName, objBody)
return objStoreResp.status
Create an application for your function and locate it in the compartment from
which you plan to call the function.
In Cloud Guard, ensure that the Cloud Event
rule is enabled for the responder recipe for which you want to receive
notifications.
Open the navigation menu and click Identity & Security. Under Cloud Guard, click
Recipes. On the Recipes page, click Responder Recipes.
Click the name of the recipe for which you want to configure
notifications.
On the detail page for the responder recipe, in the Responder
Rules section, locate the row for the Cloud Events
rule.
If the entry in the Status column for the Cloud Events
rule is Disabled:
Open its Actions menu and select
Edit.
In the Edit Responder Rule dialog box, drop down the
Status list and select Enabled.
Click Save.
In Cloud Guard, ensure that the target for
which you want to receive notifications has the responder recipe that you just
checked added, with automatic execution enabled.
Open the navigation menu and click Identity & Security. Under Cloud Guard, click
Configuration. On the Configuration page, click Targets.
On the Targets page, in the Target Name column, click the
name of the target about which you want to receive notifications.
On the details page for that target, under Resources on the
left, click Responder Recipes.
If the name of the responder recipe appears under Recipe
Name, it is already added.
If nothing is listed under Recipe Name, click Add
Recipe and select the responder recipe to add.
If a different responder recipe appears under Recipe
Name:
Open its Actions menu and select
Remove, then confirm the removal.
Click Add Recipe and select the responder recipe
to add.
Ensure that the Cloud Event responder rule is set to execute
automatically:
Under Recipe Name, click the link for the responder
recipe.
On the details page for the responder recipe, in the
Responder Rules section, locate the row for Cloud
Event responder rule.
In that row, open its Actions menu , and select
Edit.
In the Configure Responder Rule dialog box,
Setting section, check the Rule Trigger
setting.
If Rule Trigger is set to Ask me before executing
rule:
Select Execute
Automatically.
Select the CONFIRM EXECUTE AUTOMATICALLY checkbox.
Click
Save.
In the Events service, configure a rule to specify conditions under which a
notification is sent.
Ensure that you are in the reporting region of the tenancy where the
responder recipe is active.
Note
The Cloud Guard reporting region is NOT the same thing as the OCI home region.
To see the reporting region, from the Cloud Guard options panel on the left, select Settings.
To see the region that you are in, drop down the regions list at the top of the page.
From the Oracle Cloud menu, select Observability & Management , then click Events Service.
Under List Scope, ensure that the Compartment selected is either the compartment where the resource exists, or a parent of that compartment.
Click Create Rule.
On the Create Rule page, enter a Display Name for the rule.
Avoid entering confidential information.
(Optional)
Enter a Description for the rule.
Avoid entering confidential information.
In the Rule Conditions section:
Set Condition to Event Type.
Set Service Name to Cloud Guard.
Set Event Type to the type of event for which you want to be notified:
Detected - Problem
Remediated - Problem
Target - Information
To add another rule condition, in the Rule Conditions section, click Another Condition.
Note
Multiple rules are ANDed to limit the scope for which a notification is sent. To trigger a notification, all conditions must be true.
Set first item, for example, to Attribute.
Set second item to the parameter on which you want to filter.
For example, if first item is Attribute, you might set Attribute Name to riskLevel.
Set third item to the value for the parameter on which you want to filter.
For example, if you set first item to Attribute, and then set Attribute Name to riskLevel, you might set third item to Critical.
To add another rule condition to further limit the scope for which a notification is sent, click Another Condition, then repeat the preceding substeps.
In the Actions section:
Set Action Type to Functions.
Select the Functions Compartment that contains the function application.
Select the Function Application that contains the function that you want to run.
If you see "None available in selected compartment," the function application you created is not found in the Functions Compartment that you selected.
Select the Function to run.
Click Create Rule at the bottom of the page.
The details page for the rule you created appears.
Watch for activity for the Cloud Event responder rule with status Succeeded, on either the Problems or Responder Activity page.
This activity confirms that the Cloud Event responder rule is being triggered and is creating events for that problem in the Events service.