- 02 Aug 2023
- 3 Minutes to read
- PDF
Notification
- Updated on 02 Aug 2023
- 3 Minutes to read
- PDF
Timely and actionable notifications play an important role in application protection. Custom notifications also help you in streamlining the types of notifications you wish to receive and the frequency at which you would like to receive them. Each event has a severity associated with it, for example, high, medium, or low. You can choose the severity of events for which you wish to be notified. For example, you can decide to be notified only for high and medium severity events. Navigate to Administration () → Configuration → Notifications page to create custom notifications. Creating a custom notification is a two-step process.
- Create a channel
- Create notification rule
A notification is distributed through a channel.
Step 1 - Create a channel
A channel is a group of mediums or people to whom you want to notify when a type of event is triggered. You can send notifications to one or more than one of the following channels:
- Email addresses - A comma separated list of email addresses.
- Slack webhook - For information on creating a Slack webhook, see Sending messages using Incoming Webhooks.
- S3 webhook
- Splunk webhook - For information on Splunk webhook, see Splunk documentation.
- Custom webhook.
On the Administration () → Configuration → Notifications page, click on Create Channel button and provide the details to configure a channel. You can later edit or delete the channel. Once you have created a channel, the next step is to create a notification rule.
Step 2 - Create notification rule
A notification is sent through a channel for a category of events and event type. You can create notifications for different categories. In each category, there are either different threat types or event types. The notifications are created for a specific Environment or all the environments. Select the environment from the Environment drop-down list. After you have configured all the rules for notification, choose a channel from the list of channels that you created earlier. You can at any time change the channel to which you want to send the notification. However, a notification can be sent to only one channel at a time. In the end, decide the frequency of notification from one notification every hour to one notification in 24-hours.
The following tables list the different category and their corresponding threat types or event types.
Category | Threat Type |
---|---|
Logged threat activity | Enumeration |
Region | |
Data Loss Prevention (DLP) | |
Custom signature | |
Rate limiting | |
IP type and IP range | |
Cross site scripting | |
Local file inclusion | |
Remote file inclusion | |
HTTP protocol attacks | |
NodeJS injection | |
SQL injection | |
XML external entity injection (XXE) | |
Java application attacks | |
Remote code execution | |
Session fixation | |
Server-Side Request Forgery (SSRF) Signatures | |
Server-Side Request Forgery (SSRF) | |
Basic authentication violation | |
JWT anomaly | |
Scanner detection | |
Authorization bypass - user and object level | |
Broken function level authorization | |
Session violation | |
Content size and content type anomaly | |
Unexpected HTTP response code | |
Unexpected user agent | |
Invalid enumerations | |
Missing field | |
Type anomaly | |
Unrecognized field | |
Value out of range | |
Blocked threat activity | |
Region | |
Custom signature | |
Data loss prevention (DLP) | |
In-agent vulnerable library | |
IP type and range | |
Enumeration | |
Threat actor | |
Rate limiting | |
Cross site scripting | |
Local file inclusion | |
Remote file inclusion | |
HTTP protocol attacks | |
NodeJS injection | |
SQL injection | |
XML external entity injection (XXE) | |
Java application attack | |
Remote code execution | |
Session fixation | |
Server-Side Request Forgery (SSRF) Signatures | |
Basic authentication violation | |
Scanner detection |
Category | Event type |
---|---|
Threat actor status change | Normal |
Threat actor | |
Resolved | |
Always allowed | |
Always denied | |
Suspended | |
Snoozed | |
Threat actor severity change | Low |
Medium | |
High | |
Critical | |
Protection configuration change | Signature-based blocking |
Rate limiting | |
IP range | |
Location | |
Custom signature | |
Threat auto-blocking | |
Detection exclusions | |
Exclusions | |
Team activity | Create user |
Update user | |
Delete user | |
User login | |
User logout |
You can create notifications for any change made in the notifications configurations.
Category | Event type | Event category |
---|---|---|
Notification configuration change | Create |
|
Update | ||
Delete | ||
Data classification configuration change | Create |
|
Update | ||
Delete | ||
In addition, you can also create notifications for Data collection activity. This category of notification helps you to keep informed when an agent comes online or goes offline.
If you delete a channel that is associated with a notification rule, then you have to manually associate the notification to an already available channel or create a new channel to associate with the notification rule.