Thursday, March 12, 2020

How to: Slack or email notifications for IBM Cloud security issues

Architecture for security notifications
In my past blogs I introduced you to IBM Cloud Security Advisor and how to integrate your own security scans. You can view all security findings in the security advisor dashboard. Another option is to get alerted for your choice of new security issues. For this you need to set up notification channels and messaging. In today's blog I am going to explain details and share my code.

Overview: Security notifications

You can receive notifications of new security issues by setting up a notification channel in the IBM Cloud Security Advisor. A new channel requires a name, the selection of severity levels and a webhook (a web-based callback mechanism). Notifications are sent to the webhook with the payload encoded in JWTs (JSON Web Tokens). You can verify intactness of the payload using a public key.


Setup for security notification channel

When setting up the notification channel, you can apply filters for the source and type of security findings. This can be any of the built-in (out of the box) security checks, those provided by partners, any findings out of the Config advisor or custom findings as discussed in my earlier blog posts and shown below.

Select the source and type of security findings

In terms of restrictions, supported webhooks need to use HTTPS, not require any HTTP headers and return status code "200 OK" on success.

Create webhook with Cloud Functions

There are many different ways to create a webhook. I went with a web-enabled Python action in IBM Cloud Functions. The action actually is a sequence of actions to receive and decode the notification, then to send out an alert (see architecture diagram above). The code is available on GitHub in the repository security-advisor-notifications and has functions to post a message in a Slack channel or to send out an email via Mailjet.

All I needed to do is to deploy the actions using a manifest file, then obtain the webhook URL for use in the notification channel as described above.

Messaging with Slack or Email

Posting a message to Slack or sending out an email by service API are very similar in terms of action code. Both, however, require different setup. In order to have an action or an external service post to Slack, it must be registered as an app and deployed to the Slack workspace and channel. This results in credentials which are then used to configure the action. Once done, everything should work fine and could result in a Slack message as shown below.

Security alert on Slack
There are multiple options to send an email. One is to use an email account and to interact with its SMTP server. Another possible solution is to utilize one of the existing email and messaging services like SendGrid / Twilio, Mailjet / Mailgun, sendinblue or Postmark (to mention just a few). For my tests, I use a Mailjet account. Sending out an email is nothing more than a HTTP POST request with the email as JSON payload attached. Once signed up, only the account credentials are needed to invoke the Cloud Functions action. A sample email which I sent out is shown below.

Sample email with security alert


Conclusions

With few steps I was able to set up notifications for the security advisor. Now I receive Slack messages and emails for new security issues. Those issues come from built-in insights and my custom checks. Moreover, it was fun to look deeper into those messaging services and utilize them for the alerts. It is something to use for other projects, too. Want to get started?

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.