Alerts user guide
Alert’s configurations are numerous, in part because they are based unrestricted use of the filters available in the graphical interface.
The aim of this guide is to present a few examples of how alerts can be used to meet Information System monitoring needs. It is of course possible to to configure more specific alerts to suit your environment needs.
It should be noted, each user is assigned an alert indicating new published in the CISA KEV or CERT-FR ALE catalogs.
Set up an alert to detect new critical CVEs on a group of assets
In order to stay informed of changes in vulnerabilities, it is possible to reuse the default alert integration template. In this case, all you need to do to configure an alert is to complete its creation form.
The following alert configuration is for example triggered when a new critical CVE is detected on a group of assets.
Configuration of an alert to detect new critical CVEs on a group of assets
The configuration of this alert is based on the SMTP - Vulnerability Information
integration, by default present on Cyberwatch.
Fields to be filled in:
Name
, with for example the valueNew critical CVEs detected on group <Group name>
Location
, by choosingVulnerability Encyclopedia
Filter
, by selecting theSeverity: Critical
Status: Present Vulnérability
,Group: <Group name>
Integration
, by choosingSMTP - Vulnerability information
Set up an alert to detect the release of new CVEs for a technology
By further extending filtering, this mechanism can also be used to be informed of the release of a new CVE on a target technology. This example allows the monitoring of publications concerning a technology, whether or not it is detected in the IS.
Configure an alert to detect the publication of new CVEs for a technology
The configuration of this alert is based on the SMTP - Vulnerability Information
integration, by default present on Cyberwatch.
Fields to be filled in:
Name
, with for example the valueNew CVEs detected on technology <Technology name>
Location
, by choosingVulnerability Encyclopedia
Filter
, by selecting theTechnology: <Technology name>
Integration
, by choosingSMTP - Vulnerability information
Set up an alert referencing new assets in a group
In addition to processing alerts related to the evolution of vulnerabilities, you can monitor assets from inventory, by modifying the filter locations. And, can for example provide visibility over assets added to a group.
Set up an alert referencing new assets in a group
The configuration of this alert is based on the SMTP - Asset Information
integration, which can be created from the Administration > Integrations page, by entering :
SMTP integration
as the integration protocolSMTP - Asset information
as the nameNone
as trigger locationAutomatic
as recipientYes
to the Cyberwatch e-mail layoutAsset Information
as the subject of the e-mailThe email content below:
<p>
Cet e-mail a été généré par l'alerte <i>{{ alert_name | escape }}</i> de l'instance <a href="{{ node_url | escape }}">{{ node_name | escape }}</a>.
Cliquer <a href="{{ manage_link }}">ici pour gérer l'alerte</a>.
</p>
{% assign item_limit = 5 %}
{% for asset in assets limit: item_limit %}
<strong><a href="{{ asset.url }}">{{ asset.name | default: 'Actif sans nom' | escape }}</a></strong><br />
{% if asset.description != blank %}
Description : {{ asset.description | truncate: 200 | escape }}<br />
{% endif %}
{% if asset.groups.size == 1 %}
Groupe : {{ asset.groups[0].name | escape }}<br />
{% elsif asset.groups.size > 0 %}
Groupes : {{ asset.groups | map: 'name' | join: ', ' | escape }}<br />
{% endif %}
Nombre de CVE : {{ asset.cve_announcements_count }}<br />
Nombre de CVE critiques : {{ asset.critical_cve_announcements_count }}<br />
{% if asset.compliance_rules_count != 0 %}
Nombre de règles de conformité : {{ asset.compliance_rules_count }}<br />
Nombre de règles de conformité réussies : {{ asset.compliance_rules_succeed_count }}<br />
Nombre de règles de conformité échouées : {{ asset.compliance_rules_failed_count }}<br />
Nombre de règles de conformité en anomalie : {{ asset.compliance_rules_anomalies_count }}<br />
{% endif %}
Nombre de défauts de sécurité : {{ asset.security_issues_count }}<br /><br />
{% endfor %}
{% assign diff = assets_total | minus: item_limit %}
{% if diff == 1 %}
et 1 autre.
{% elsif diff > 0 %}
et {{ diff }} autres.
{% endif %}<br />
Then create the alert, filling the following fields:
Name
, with for example the valueNew assets detected within group <Group name>
Location
, by selectingAsset inventory
Filter
, by selecting theGroup: <Group name>
filterIntegration
, by choosingSMTP - Asset Information
Set up an alert referencing assets with end-of-life OS
Modifying locations also allows us to monitor the status of assets, for example through security issues.
It is then possible to be alerted when an asset’s OS or application has reached end of life. This requires filtering respectively on Obsolete-OS
or Obsolete-Application
security issue, as shown below.
Set up an alert listing assets whose OS has reached end-of-life
This alert configuration is based on the SMTP - Asset Information
integration, whose the creation is detailed in the previous section Set up an alert referencing new assets in a group
.
Fields to be filled in:
Name
, with for example, the valueNew assets whose OS has reached the end of its life
Replacement
, by selectingAsset inventory
Filter
, by selecting theSecurity Issue: Obsolete-OS
filterIntegration
, by choosingSMTP - Asset Information
Setting up an alert for assets that have a TLS certificate that is expired / about to expire
Modifying locations also allows us to monitor the status of inventory assets, for example, through security issues.
It is then possible to be alerted when an asset’s TLS certificate is about to expire. This requires filtering on TLS_Certificate (expired)
or TLS_Certificate (about to expire)
security issue, as shown below.
Setting up an alert for assets that have a TLS certificate that is expired / about to expire
The configuration of this alert is based on the SMTP - Asset Information
integration, which can be created from the Administration > Integrations page, by entering :
SMTP integration
as the integration protocolSMTP - Asset information
as the nameNone
as trigger locationAutomatic
as recipientYes
to the Cyberwatch e-mail layoutAsset Information
as the subject of the e-mailThe email content below:
<p>
Cet e-mail a été généré par l'alerte <i>{{ alert_name | escape }}</i> de l'instance <a href="{{ node_url | escape }}">{{ node_name | escape }}</a>.
Cliquer <a href="{{ manage_link }}">ici pour gérer l'alerte</a>.
</p>
{% assign item_limit = 5 %}
{% for asset in assets limit: item_limit %}
<strong><a href="{{ asset.url }}">{{ asset.name | default: 'Actif sans nom' | escape }}</a></strong><br />
{% if asset.description != blank %}
Description : {{ asset.description | truncate: 200 | escape }}<br />
{% endif %}
{% if asset.groups.size == 1 %}
Groupe : {{ asset.groups[0].name | escape }}<br />
{% elsif asset.groups.size > 0 %}
Groupes : {{ asset.groups | map: 'name' | join: ', ' | escape }}<br />
{% endif %}
Nombre de CVE : {{ asset.cve_announcements_count }}<br />
Nombre de CVE critiques : {{ asset.critical_cve_announcements_count }}<br />
{% if asset.compliance_rules_count != 0 %}
Nombre de règles de conformité : {{ asset.compliance_rules_count }}<br />
Nombre de règles de conformité réussies : {{ asset.compliance_rules_succeed_count }}<br />
Nombre de règles de conformité échouées : {{ asset.compliance_rules_failed_count }}<br />
Nombre de règles de conformité en anomalie : {{ asset.compliance_rules_anomalies_count }}<br />
{% endif %}
Nombre de défauts de sécurité : {{ asset.security_issues_count }}<br /><br />
{% endfor %}
{% assign diff = assets_total | minus: item_limit %}
{% if diff == 1 %}
et 1 autre.
{% elsif diff > 0 %}
et {{ diff }} autres.
{% endif %}<br />
Then create the alert, filling the following fields:
Name
, with for example, the valueNew assets whose TLS certificate is about to expire
Replacement
, by selectingAsset inventory
Filter
, by selecting theSecurity Issue: TLS_Certificate (expired / about to expire)
filterIntegration
, by choosingSMTP - Asset Information