Setting up serverless processing of security notifications.
Another option is to get alerted of new security issues in the manner of your choosing. For this, you need to set up notification channels and messaging. In today's blog post, I am going to explain this approach in further detail and share my code.
Overview: Security notifications
You can receive notifications of new security issues by setting up a notification channel in the IBM Cloud Security Advisor. A new channel requires a name, the selection of severity levels, and a webhook (a web-based callback mechanism). Notifications are sent to the webhook with the payload encoded in JWTs (JSON Web Tokens). You can verify the intactness of the payload using a public key.
When setting up the notification channel, you can apply filters for the source and type of security findings. This can be any of the built-in (out of the box) security checks, those provided by partners, any findings out of the Config advisor, or custom findings as discussed in my earlier blog posts and shown below.
In terms of restrictions, supported webhooks need to use HTTPS, must not require any HTTP headers, and must return status code "200 OK" on success.
Create a webhook with Cloud Functions
There are many different ways to create a webhook. I went with a web-enabled Python action in IBM Cloud Functions. The action is actually a sequence of actions to receive and decode the notification and then send out an alert (see architecture diagram above). The code is available on GitHub in the repository security-advisor-notifications and has functions to post a message in a Slack channel or to send out an email via Mailjet.
All I needed to do is to deploy the actions using a manifest file, then obtain the webhook URL for use in the notification channel as described above.
Messaging with Slack or email
Posting a message to Slack or sending out an email by service API are very similar in terms of action code. Both, however, require different setup. In order to have an action or an external service post to Slack, it must be registered as an app and deployed to the Slack workspace and channel. This results in credentials which are then used to configure the action. Once done, everything should work fine and could result in a Slack message similar to what is shown below.
There are multiple options to send an email. One is to use an email account and to interact with its SMTP server. Another possible solution is to utilize one of the existing email and messaging services like SendGrid/Twilio, Mailjet/Mailgun, sendinblue, or Postmark (to mention just a few).
For my tests, I use a Mailjet account. Sending out an email is nothing more than a HTTP POST request with the email as JSON payload attached. Once signed up, only the account credentials are needed to invoke the Cloud Functions action. A sample email which I sent out is shown below:
Get started sending security notifications
With few steps I was able to set up notifications for the Security Advisor. Now I receive Slack messages and emails for new security issues. Those issues come from built-in insights and my custom checks. Moreover, it was fun to look deeper into those messaging services and utilize them for the alerts. It is something to use for other projects, too. Want to get started?
- Check out the code and instructions on GitHub.
- Read my older posts regarding the Security Advisor, which include an introduction to custom findings as well as code and more to get started integrating your own security checks.
- Learn about the IBM Cloud Security Advisor.