AlertOps and Aqua Security
AlertOps’ alert management system can be integrated with Aquasec to receive and respond to critical (predefined status mappings) alarms/alerts through email, SMS, push notification or phone alerts. AlertOps would ensure that the alert would reach the appropriate team by using proper workflows, escalation policies and schedules. Based on your ruleset, incidents can be automatically opened and closed, depending on whether Aquasec reports a problem or a recovery.
The above scenario and scope for integration is due to the fact that AlertOps has a very flexible and simple API/Webhook configuration feature that can be leveraged with Aquasec’s cloud monitoring and alerting capabilities.
(In this guide, we will see how to integrate AlertOps with Aqua through an Amazon SNS topic integration - therefore a prerequisite is to have an AWS environment with SNS service)
AlertOps - Inbound Integrations
We can define an inbound integration in AlertOps to receive the event information from the SNS Topic it is integrated to
AlertOps would ensure based on these notifications received, that it would always reach out and assign to the correct person/team by utilizing its escalation policies, schedules, and workflow features. AlertOps provides Inbound Integrations to integrate with numerous monitoring, chat and ITSM tools. You can configure an inbound integration for Aquasec incidents.
At a high level, the flow looks like the diagram shown below – Aquasec configured with an alert integration, sends out notifications to the SNS Topic it is attached to. This SNS Topic would push the message to the HTTPS endpoint provided by AlertOps. AlertOps must be subscribed to the SNS Topic in order to receive notifications.
To configure an Inbound Integration in AlertOps to receive alerts from Aqua through SNS,
To configure an Inbound Integration in AlertOps to receive alerts from Aqua through SNS
There are numerous integration options available in AlertOps, select Aqua Security/Aquasec
Once you select the integration, you can then specify basic settings like the integration name, escalation policy, names of the recipients/groups for which the alerts must be assigned to.
Once you click save, the API Integration will be created, and you will be given a unique URL which acts as the access point and needs to be configured at the source (in this case the SNS Topic), to send notifications. You can find the integration you just created, and you can give advanced settings and define various configurations for the alerts to be received and processed.
Make a note of the API URL, which will be used in SNS topic, so it calls a HTTP POST request to this URL with the body in JSON format containing the alert specific information. Alerts will be recorded in the ‘Inbound Log’ section table. AlertOps automatically creates an alert when the Message contains “FAIL”. The incident will also be closed automatically when the status ‘PASS’ is received.
AWS SNS Configuration to send alerts to AlertOps
Go to your AWS Services console – select Amazon SNS.
In the left tab – select Topics – Create Topic. Select Standard – Give a name to the topic. You can configure other options as you need to.
Once you create the topic, in the left tab – select Subscriptions – Create Subscription
In the Topic ARN option, select the name of the topic you just created
For protocol – select HTTPS, and in the endpoint – paste the API URL which you obtained when you created the inbound integration. You can configure other options as you need to.
Once you create the subscription, go to Topics, select the topic you created
In the “Subscriptions” section, you will have a status that says, “Pending Confirmation”. This means that AlertOps hasn’t yet subscribed to this topic to receive notifications.
To subscribe to the topic, go to your AlertOps dashboard, under integrations go to ‘Inbound Log’.
You should have an entry in the log, from AWS, however there wont be an alert created. Select the message ID detail. In the body section, you should have a field that says, “Subscribe URL” and a link as a value. Copy and paste the link in a new tab and you must get a confirmation template. (You can store it if you want to)
In the left navigation pane in CSPM, select ‘Integrations’ – click ‘Create Integration’
Give a name to the integration and give the Integration Type as Amazon SNS. There are various other options available including Email, SMS, Slack etc.
Copy the SNS topic ARN (in the previous step under Topics) and paste it in the ARN field. Create Integration. Make sure they are enabled.
Now in the left navigation pane, select ‘Alerts’ – click ‘Create Alert’. Select your cloud configuration, triggers and finally select the integrations which you configured.
That’s it! You have created an integration with Aquasec. Alerts sent out and alert information can be found in the "Inbound Log"/"Alerts" tab in your AlertOps environment.
Alert Triggering Information:
AlertOps will automatically create an incident when a new alert is received from AquaSec when the Message status field contains “FAIL”.
If an alert with status “FAIL” matches an existing Open Alert, AlertOps will recognize the new alert as a duplicate and ignore the alert. The alert will be recorded in the Inbound Messages table as “Mapped Appended.”
AlertOps will automatically close the same incident when an alert with a Message status does not contain “FAIL” (or contains “PASS” alternatively).