Alerts are used in concert with outbound integrations to send findings data to services outside of VMware Aria Automation for Secure Clouds. For example, an alert associated with a Slack integration can send findings notifications to a designated slack channel, while an alert for a Jira Cloud integration creates issues for those same findings.
There are two kinds of alerts available:
- Real-time alert - An alert that sends data about individual findings each time they occur.
- Summary alert - An alert that sends data about a group of findings that occur over a defined time period. Summary alerts are only available through the email and Jira Cloud integrations.
When creating an alert, you can choose the criteria to filter findings on so that you only receive alerts for the findings you consider critical. Cloud accounts are the only required criteria, but you can also filter for providers, rules, severity, and more.
Note
If you want to add a rule filter to capture third-party findings for an alert, ensure the rule is entered correctly as there is no validation or auto-complete service available for third-party. Review the third-party findings section of the Findings guide for more information.
Configuring alerts
You can set up an alert for any service that has an outbound integration in the product. Review each topic in this section for specific instructions per integration.
Create a email alert
Email alerts send notifications to designated email addresses when findings are detected. Alerts can be configured for specific criteria (rules, cloud accounts, and so on). You can add multiple email addresses to a single alert.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select Email.
- Select a Type for the alert. There are two choices available:
- Real Time - Send an individual email alert for each finding.
- Summary - Send a summary email alert on a defined cadence (hourly, daily, or custom). You can choose to organize the findings by common rule or resource.
- Enter the all the emails that should receive alerts on the Select emails line.
- Click Next.
- Select the cloud accounts you want receive email alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every email alert.
- Click Create.
Create a Jira Cloud alert
Jira Cloud alerts are associated with an existing Jira integration and automatically create issues for any rules violation that fits the specified criteria. For example, you can configure an alert to create a Jira issue for any rule with high severity on specific cloud accounts.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select Jira.
- Select an existing Jira Cloud integration from the second drop-down menu.
- Click Next.
- Select the cloud accounts you want receive Jira Cloud alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create a ServiceNow alert
Important
ServiceNow integration is currently in private beta. Reach out to your customer success team if you're interested in trying it out for your organization.
ServiceNow alerts are associated with an existing ServiceNow integration and automatically create incidents for any rules violation that fits the specified criteria. For example, you can configure an alert to create a ServiceNow incident for any rule with high severity on specific cloud accounts.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select ServiceNow.
- Select an existing ServiceNow integration from the second drop-down menu.
- Click Next.
- Select the cloud accounts you want receive ServiceNow alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create a Slack alert
Slack alerts send notifications to a designated slack channel when findings are detected. An alert can be associated with only one slack integration and channel at a time.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select Slack.
- Select an existing Slack integration from the second drop-down menu.
- Enter the name of the slack channel you want to receive alerts on.
- Click Validate to send a test alert to the channel and verify the connection. The slack channel must be validated to proceed to to the next step.
- Click Next.
- Select the cloud accounts you want receive Slack alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create a Splunk alert
Splunk alerts can send information about security findings to your Splunk instance, where they are integrated into Splunk-based reporting tools and metrics.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select Splunk.
- Select an existing Splunk integration from the second drop-down menu.
- Click Next.
- Select the cloud accounts you want receive Splunk alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create an Amazon SQS alert
Amazon SQS alerts to send notifications to an SQS queue for events like security findings, where they can serve as triggers for other programmatic actions. For example, an SQS alert that detects an instance running on an insecure network could trigger the automatic shutdown of the instance.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select SQS.
- Select an existing SQS integration from the second drop-down menu.
- Click Next.
- Select the cloud accounts you want to receive SQS alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create an Amazon S3 alert
Amazon S3 alerts send findings data to an S3 or Amazon Security Lake bucket, where they can be then be ingested into a security information event monitoring (SIEM) tool that's been configured to read data from the bucket. This is useful for incorporating VMware Aria Automation for Secure Clouds into other security solutions you may have.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select S3.
Note: If you've connected the Amazon S3 integration to an Amazon Security Lake bucket, you can set up an alert for it by selecting the appropriate bucket in the drop-down menu.
- Select an existing S3 integration from the second drop-down menu.
- Select a Type for the alert. There are two choices available:
- Real Time - Send an individual S3 alert for each finding.
- Summary - Send a summary S3 alert on a defined cadence (hourly, daily, or custom). You can choose to organize the findings by cloud account, resource, or rule.
Note: If you're creating an alert for an Amazon Security Lake bucket using the Parquet file format, only summary alerts are available.
- Click Next.
- Select the cloud accounts you want the alert to monitor. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Create a Webhook alert
Webhook alerts send security findings in JSON format to an assigned URL. You can use webhook alerts to transmit findings to any third-party software that lacks a native integration with VMware Aria Automation for Secure Clouds.
- From the dashboard, navigate to Actions > Alerts.
- Select New Alert.
- Enter a Name for your alert.
- Select the Context at which others are able to view and edit this alert. If you're already creating this alert from the context of a specific project, it's set automatically.
- Click the Integration drop-down menu and select Webhook.
- Select an existing Webhook integration from the second drop-down menu.
- Click Next.
- Select the cloud accounts you want receive Webhook alerts for. You can click Add Another for more criteria to filter findings with (provider, rule, severity, and so on).
- Click Next.
- Review the selections you made and verify they're correct. If desired, you can enter an additional message that displays in the body of every alert.
- Click Create.
Managing alerts
Alerts are managed from the Actions > Alerts page of the VMware Aria Automation for Secure Clouds browser client. Which alerts you can view is determined by the current context you've selected in the client. For example, if you have access to the organization context, you can see all alerts that were configured under the organization. A project context only shows the alerts that were created for that project, if any.
Turn an alert on or off
You can turn an alert on and off by clicking the Enable toggle next to it. Alerts stop sending information about security findings to their associated integrations when they're not enabled.
Edit an alert
To change an existing alert, select it from the list, select Edit Alert and make any desired changes (like adding or removing cloud accounts).
Clone an alert
To make a copy of an alert, select it from the list and click Clone Alert. This is useful when creating similar alerts in bulk.
Delete an alert
To delete an alert, select it and click Delete Alert. This is the only action you can perform while multiple alerts are selected. Deleted alerts are not recoverable.