How to Get IBM Cloud Security Advisor Alerts via Slack or Email

3 min read

Setting up serverless processing of security notifications.

In my previous blog posts, I introduced you to IBM Cloud Security Advisor and how to integrate your own security scans. You can view all security findings in the Security Advisor dashboard. 

Another option is to get alerted of new security issues in the manner of your choosing. For this, you need to set up notification channels and messaging. In today's blog post, I am going to explain this approach in further detail and share my code.

Architecture diagram.

Architecture diagram.

Overview: Security notifications

You can receive notifications of new security issues by setting up a notification channel in the IBM Cloud Security Advisor. A new channel requires a name, the selection of severity levels, and a webhook (a web-based callback mechanism). Notifications are sent to the webhook with the payload encoded in JWTs (JSON Web Tokens). You can verify the intactness of the payload using a public key.

Set up channel details—such as webhook and severity—for notifications.

Set up channel details—such as webhook and severity—for notifications.

When setting up the notification channel, you can apply filters for the source and type of security findings. This can be any of the built-in (out of the box) security checks, those provided by partners, any findings out of the Config advisor, or custom findings as discussed in my earlier blog posts and shown below.

Select alert source and the finding type.

Select alert source and the finding type.

In terms of restrictions, supported webhooks need to use HTTPS, must not require any HTTP headers, and must return status code "200 OK" on success.

Create a webhook with Cloud Functions

There are many different ways to create a webhook. I went with a web-enabled Python action in IBM Cloud Functions. The action is actually a sequence of actions to receive and decode the notification and then send out an alert (see architecture diagram above). The code is available on GitHub in the repository security-advisor-notifications and has functions to post a message in a Slack channel or to send out an email via Mailjet.

All I needed to do is to deploy the actions using a manifest file, then obtain the webhook URL for use in the notification channel as described above.

Messaging with Slack or email

Posting a message to Slack or sending out an email by service API are very similar in terms of action code. Both, however, require different setup. In order to have an action or an external service post to Slack, it must be registered as an app and deployed to the Slack workspace and channel. This results in credentials which are then used to configure the action. Once done, everything should work fine and could result in a Slack message similar to what is shown below.

Slack message with a new security alert.

Slack message with a new security alert.

There are multiple options to send an email. One is to use an email account and to interact with its SMTP server. Another possible solution is to utilize one of the existing email and messaging services like SendGrid/Twilio, Mailjet/Mailgun, sendinblue, or Postmark (to mention just a few). 

For my tests, I use a Mailjet account. Sending out an email is nothing more than a HTTP POST request with the email as JSON payload attached. Once signed up, only the account credentials are needed to invoke the Cloud Functions action. A sample email which I sent out is shown below:

Security alert by email.

Security alert by email.

Get started sending security notifications

With few steps I was able to set up notifications for the Security Advisor. Now I receive Slack messages and emails for new security issues. Those issues come from built-in insights and my custom checks. Moreover, it was fun to look deeper into those messaging services and utilize them for the alerts. It is something to use for other projects, too. Want to get started?

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Be the first to hear about news, product updates, and innovation from IBM Cloud