Alert Findings

In this topic:

    Introduction

    The Findings tab in the Alerts page shows a near real-time dashboard view of notifications from Continuous Compliance assessments and from Magellan queries. This can be useful for security admins or managers to see compliance or network security issues across their cloud environments in a single view. From this view, they can drill down to see more detail about the event, add remarks for the event or assign it to specific users for remedial action.

    The view is searchable and can be filtered for specific events of interest, according to account, event type, entity type, compliance bundle, and other parameters. Events appear in the Findings view in near real-time.

    Benefits

    • enterprise view across all platforms, accounts, entities
    • shows only operational issues in cloud accounts
      • system messages are in separate display
    • search or filter the view for account, region, platform, source, entity, etc.
    • actionable from dashboard (assign, acknowledge, modify)
    • direct links to referenced entities (in Dome9)

    Use cases

    • enterprise security manager needs a high level summary of security posture and key metrics of security findings across the organization
    • security engineer needs high level summary of security posture and key metrics of security findings for specific cloud accounts, and the ability to review security findings for the relevant cloud accounts and apply remediations

    Alerts in Dome9

    Events that appear in the Findings view are generated from Continuous Compliance failures for rules in assessment bundles

    Events that appear in the Findings view are generated from these sources:

    The Findings view does not show normal system or account events (such as account sign-ins) or configuration issues, which appear in the General Alerts tab in the Notification page.

    Configure alerts

    You can configure notifications from Continuous Compliance or Magellan events to appear in the Alerts Findings view. Do this by configuring a Notification Policy, for Continuous Compliance events.

    Continuous Compliance Notification Policy

    You configure Continuous Compliance notifications to the Alert Findings view Notification Policies. You do this for each policy separately, so you can control which bundles, and which accounts, will generate alerts. To receive alerts from all bundles and accounts, configure it in each policy.

    In the Notification Policy, check the box Include in the alerts console.

     Notification-Policy-Alerts-console.png

    Alert Findings View

    The main Findings view shows a list of findings.

    Notification-Finding-Alerts-main.png

    In the Filter pane on the left, you can filter the view of events according to account, entity, bundle, event severity, and other parameters.

    You can also search for specific events in the search box. You can search for specific text in the Cloud Account, Rule, Entity and Entity Type fields.

    You can sort the view of events according to any of the displayed columns.

    Click on an event in the list to see more detail. This shows the specific rule that failed (for Compliance events) or query (for Magellan).

    Actions

    From the Findings view, you can perform these actions on events:

    • add comments to an event (these are visible to all viewers).
    • assign an event to a (Dome9) user, for further action (such as remedial actions)
    • change the severity of the event (this will affect the view, if the severity is one of the filter settings).
    • acknowledge an event (this marks the event as 'read')
    • export the list of events as a CSV file.

    Notification-Finding-Alerts-actions.png