Alerts user guide

Alert’s configurations are numerous, in part because they are based unrestricted use of the filters available in the graphical interface.

The aim of this guide is to present a few examples of how alerts can be used to meet Information System monitoring needs. It is of course possible to to configure more specific alerts to suit your environment needs.

It should be noted, each user is assigned an alert indicating new published in the CISA KEV or CERT-FR ALE catalogs.

Set up an alert to detect new critical CVEs on a group of assets

In order to stay informed of changes in vulnerabilities, it is possible to reuse the default alert integration template. In this case, all you need to do to configure an alert is to complete its creation form.

The following alert configuration is for example triggered when a new critical CVE is detected on a group of assets.

Configuration of an alert to detect new critical CVEs on a group of assets

The configuration of this alert is based on the SMTP - Vulnerability Information integration, by default present on Cyberwatch.

Fields to be filled in:

  • Name, with for example the value New critical CVEs detected on group <Group name>;

  • Location, by choosing Vulnerability Encyclopedia;

  • Filter, by selecting the Severity: Critical, Status: Present Vulnérability, Group: <Group name>;

  • Integration, by choosing SMTP - Vulnerability information.

Set up an alert to detect the release of new CVEs for a technology

By further extending filtering, this mechanism can also be used to be informed of the release of a new CVE on a target technology. This example allows the monitoring of publications concerning a technology, whether or not it is detected in the IS.

Configure an alert to detect the publication of new CVEs for a technology

The configuration of this alert is based on the SMTP - Vulnerability Information integration, by default present on Cyberwatch.

Fields to be filled in:

  • Name, with for example the value New CVEs detected on technology <Technology name>;

  • Location, by choosing Vulnerability Encyclopedia;

  • Filter, by selecting the Technology: <Technology name>,

  • Integration, by choosing SMTP - Vulnerability information.

Set up an alert referencing new assets in a group

In addition to processing alerts related to the evolution of vulnerabilities, you can monitor assets from inventory, by modifying the filter locations. And, can for example provide visibility over assets added to a group.

Set up an alert referencing new assets in a group

The configuration of this alert is based on the SMTP - Asset Information integration, which can be created from the Administration > Integrations page, by entering :

  • SMTP integration as the integration protocol;

  • SMTP - Asset information as the name;

  • None as trigger location;

  • Automatic as recipient;

  • Yes to the Cyberwatch e-mail layout;

  • Asset Information as the subject of the e-mail;

  • The email content below:

<p>
  Cet e-mail a été généré par l'alerte <i>{{ alert_name | escape }}</i> de l'instance <a href="{{ node_url | escape }}">{{ node_name | escape }}</a>.
  Cliquer <a href="{{ manage_link }}">ici pour gérer l'alerte</a>.
</p>

{% assign item_limit = 5 %}
{% for asset in assets limit: item_limit %}
  <strong><a href="{{ asset.url }}">{{ asset.name | default: 'Actif sans nom' | escape }}</a></strong><br />
  {% if asset.description != blank %}
    Description : {{ asset.description | truncate: 200 | escape }}<br />
  {% endif %}
  {% if asset.groups.size == 1 %}
    Groupe : {{ asset.groups[0].name | escape }}<br />
  {% elsif asset.groups.size > 0 %}
    Groupes : {{ asset.groups | map: 'name' | join: ', ' | escape }}<br />
  {% endif %}
  Nombre de CVE : {{ asset.cve_announcements_count }}<br />
  Nombre de CVE critiques : {{ asset.critical_cve_announcements_count }}<br />
  {% if asset.compliance_rules_count != 0 %}
    Nombre de règles de conformité : {{ asset.compliance_rules_count }}<br />
    Nombre de règles de conformité réussies : {{ asset.compliance_rules_succeed_count }}<br />
    Nombre de règles de conformité échouées : {{ asset.compliance_rules_failed_count }}<br />
    Nombre de règles de conformité en anomalie : {{ asset.compliance_rules_anomalies_count }}<br />
  {% endif %}
  Nombre de défauts de sécurité : {{ asset.security_issues_count }}<br /><br />
{% endfor %}
{% assign diff = assets_total | minus: item_limit %}
{% if diff == 1 %}
  et 1 autre.
{% elsif diff > 0 %}
  et {{ diff }} autres.
{% endif %}<br />

Then create the alert, filling the following fields:

  • Name, with for example the value New assets detected within group <Group name>;

  • Location, by selecting Asset inventory;

  • Filter, by selecting the Group: <Group name> filter;

  • Integration, by choosing SMTP - Asset Information.

Set up an alert referencing assets with end-of-life OS

Modifying locations also allows us to monitor the status of assets, for example through security issues.

It is then possible to be alerted when an asset’s OS or application has reached end of life. This requires filtering respectively on Obsolete-OS or Obsolete-Application security issue, as shown below.

Set up an alert listing assets whose OS has reached end-of-life

This alert configuration is based on the SMTP - Asset Information integration, whose the creation is detailed in the previous section Set up an alert referencing new assets in a group.

Fields to be filled in:

  • Name, with for example, the value New assets whose OS has reached the end of its life;

  • Replacement, by selecting Asset inventory;

  • Filter, by selecting the Security Issue: Obsolete-OS filter;

  • Integration, by choosing SMTP - Asset Information.

Setting up an alert for assets that have a TLS certificate that is expired / about to expire

Modifying locations also allows us to monitor the status of inventory assets, for example, through security issues.

It is then possible to be alerted when an asset’s TLS certificate is about to expire. This requires filtering on TLS_Certificate (expired) or TLS_Certificate (about to expire) security issue, as shown below.

Setting up an alert for assets that have a TLS certificate that is expired / about to expire

The configuration of this alert is based on the SMTP - Asset Information integration, which can be created from the Administration > Integrations page, by entering :

  • SMTP integration as the integration protocol;

  • SMTP - Asset information as the name;

  • None as trigger location;

  • Automatic as recipient;

  • Yes to the Cyberwatch e-mail layout;

  • Asset Information as the subject of the e-mail;

  • The email content below:

<p>
  Cet e-mail a été généré par l'alerte <i>{{ alert_name | escape }}</i> de l'instance <a href="{{ node_url | escape }}">{{ node_name | escape }}</a>.
  Cliquer <a href="{{ manage_link }}">ici pour gérer l'alerte</a>.
</p>

{% assign item_limit = 5 %}
{% for asset in assets limit: item_limit %}
  <strong><a href="{{ asset.url }}">{{ asset.name | default: 'Actif sans nom' | escape }}</a></strong><br />
  {% if asset.description != blank %}
    Description : {{ asset.description | truncate: 200 | escape }}<br />
  {% endif %}
  {% if asset.groups.size == 1 %}
    Groupe : {{ asset.groups[0].name | escape }}<br />
  {% elsif asset.groups.size > 0 %}
    Groupes : {{ asset.groups | map: 'name' | join: ', ' | escape }}<br />
  {% endif %}
  Nombre de CVE : {{ asset.cve_announcements_count }}<br />
  Nombre de CVE critiques : {{ asset.critical_cve_announcements_count }}<br />
  {% if asset.compliance_rules_count != 0 %}
    Nombre de règles de conformité : {{ asset.compliance_rules_count }}<br />
    Nombre de règles de conformité réussies : {{ asset.compliance_rules_succeed_count }}<br />
    Nombre de règles de conformité échouées : {{ asset.compliance_rules_failed_count }}<br />
    Nombre de règles de conformité en anomalie : {{ asset.compliance_rules_anomalies_count }}<br />
  {% endif %}
  Nombre de défauts de sécurité : {{ asset.security_issues_count }}<br /><br />
{% endfor %}
{% assign diff = assets_total | minus: item_limit %}
{% if diff == 1 %}
  et 1 autre.
{% elsif diff > 0 %}
  et {{ diff }} autres.
{% endif %}<br />

Then create the alert, filling the following fields:

  • Name, with for example, the value New assets whose TLS certificate is about to expire;

  • Replacement, by selecting Asset inventory;

  • Filter, by selecting the Security Issue: TLS_Certificate (expired / about to expire) filter;

  • Integration, by choosing SMTP - Asset Information.

Back to top