Monday, March 2, 2020

Extend IBM Cloud Security Advisor with your own security metrics

Custom findings in Security Advisor
The IBM Cloud Security Advisor allows for centralized security management. It offers a unified dashboard that alerts security administrators for an IBM Cloud account of issues and helps them in resolving the issues. The advisor supports the integration of third-party vendors as well as custom findings. Using a REST API or programming language SDKs, it is possible to manage your own security metrics - from creating incident types and events to displaying them on the unified dashboard. In this and a follow-up post, I am going to give you a quick introduction to the Security Advisor and then discuss the code I made available on GitHub in the repo security-advisor-findings. It simplifies to management of custom objects and provides functions for some of my security scans.

Overview: Custom findings in Security Advisor 

The IBM Cloud Security Advisor offers a growing number of security checks. They include pre-integrated findings, partner integrations, built-in insights as well as custom findings. The latter allows to bring data from existing security tools into Security Advisor or to add your own security scans and related metrics (see screenshot above, section "Account User Management"). In that case, you become a provider of security events.

In addition to the concept of provider Security Advisor has notes and occurrences. Notes and occurrences both can be of different pre-defined kinds. Notes are used to define CARDs, FINDINGs and KPIs (key performance indicators). Findings and KPIs are used to report security issues. In that case, you would create an occurrence of kind FINDING or KPI, based on a previously defined note for that finding or KPI.

Security scan found external users
A finding occurrence typically includes a short description of the security issue and suggested steps to resolve it. The screenshot on the left shows a single custom finding. To integrate findings and related KPIs into the Security Advisor dashboard, you need to create a card. A card has details on what and how finding types and KPIs should be shown. It could be just numbers as seen above or charts. You can also define a badge to be shown if no issues are reported (see top screenshot).

Findings API and SDKs

The Security Advisor offers a REST API to manage notes and occurrences. In addition, you can utilize the Python SDK and Node.js SDK as wrapper around the API. Both are based on IBM core SDKs and hence support common authentication methods.

The SDKs offer functions to list all the findings providers in the account. This is useful, because objects are scoped by account and provider. You can search notes by provider and obtain details. And, of course, it is possible to create new notes, update or delete them. The same goes for occurrences. They are scoped by account, provider and related note. 


The IBM Cloud Security Advisor allows for centralized security management. Using an API, it is possible to extend the security advisor with your own metrics. I created NOTEs to define my own FINDINGs and KPIs, then a CARD to display the found issues. In the next blog, I plan to discuss the code I made available in the GitHub repo security-advisor-findings. It provides a simple command line tool to manage the custom objects and has functions for security scans which integrate results into the security advisor.

Read the follow-up post on the command line tool for managing security advisor objects and the post discussing how to use Cloud Functions to implement serverless security scans.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.