This note explains how to configure CloudGuard Dome9 to send event messages to Slack, using an AWS SNS.
NOTE: There is another, newer, method to configure Slack, using an HTTP Endpoint instead of an AWS SNS. This is described in https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk166433. Both methods are supported, but the newer method is recommended.
The procedure involves these steps:
1. Create an AWS SNS.
2. Setup a Dome9 Notification Policy to send events to the AWS SNS.
3. Create a Dome9 Compliance Policy for an account, that will send findings to the SNS Notification Policy.
4. Create an AWS Lambda function (using the script from here) that will be triggered by the SNS, and forward messages to Slack.
5. Configure Slack to use incoming Webhooks, and include the Webhook URL in the Lambda function.
6. Test the configuration.
Step 1 - Create an AWS SNS.
- In the AWS console, navigate to SNS.
- Create a new SNS Topic (see here for steps to do this)
Step 2 - Create a Dome9 Notification Policy
- In the Dome9 console, navigate to Notifications in the Compliance & Governance menu
- Click ADD NOTIFICATION.
- Enter a name & description (e.g., Dome9-Slack-SNS)
- Select SNS in the Immediate Notification section, and enter the ARN for the SNS created in the Step 1.
- Select JSON - Full Entity.
- Click SAVE.
Step 3 - Create a Compliance or Log.ic Policy
- Navigate to the Policies page in either the Compliance & Governance menu (for Compliance findings), or Log.ic (for Log.ic findings)
- Click ADD POLICY.
- Select the cloud platform (AWS, Azure, or GCP), then click NEXT (for Log.ic, the only option is AWS).
- Select the accounts (more than one can be selected), then click NEXT.
- Select the compliance rulesets for the policy (more than one can be selected), and then click NEXT.
- Select the Notification Policy created in Step 2, above (additional Notification Policies can also be selected, in which case findings will be sent to all of them).
- Click SAVE.
Step 4 - Create the AWS Lambda Function.
- In AWS, navigate to Lamba.
- Click Create Function.
- Select the Author from scratch option.
- Enter a name for the function, and select Runtime option Node.js 8.10. Leave the Permissions settings at the default settings. Click Create function.
- Expand the Designer section of the function.
- In the Add triggers section on the left, click on SNS, to add an SNS trigger for the function.
- Scroll down to the Configure triggers section, and select the SNS created in Step 1, above.
- Select Enable trigger, then click Add.
- Click on the main body of the Lamba function.
- Download the Dome9 Lambda function script, SNStoSlack.js, from our Github repo.
- Copy the script and paste it in the Function code section of the Lamba function.
Step 5 - Configure Slack
- Sign in to your Slack channel (<your channel>.slack.com), and navigate to https://<your-channel>.slack.com/apps/A0F7XDUAZ-incoming-webhooks?next_id=0
- Scroll to the Integration Settings section.
- Select (or create) a Slack channel for the events from Dome9.
- Copy the Webhook URL.
- Return to the AWS Lambda function, and scroll down to the Environment variables section of the Lambda function, and add two variables:
- hookUrl - set this to the Webhook URL
- slackChannel - set this to the slack channel
- Save the function.
Step 6 - Test the configuration
Test the configuration from the AWS console.
- In AWS Lambda console, select the Lambda function from the list.
- Click Test.
- Copy this JSON block into the test event, and click Create.
"TopicArn": "The Topic ARN defined",
"Subject": "Failed logon",
"Message": "EventType=UserLogOnFailureEvent, FriendlyType=Failed logon, Timestamp=2017-06-29T18:48:17Z, UserId=50462, UserName=User@dome9.com, IPAddr=22.214.171.124",
"Signature": "c/F4hZt0rUYXzeblsuSgYVq8rxTSTF+lmdfVtylCWmHbM8sZE2y0L75Vd7OQ6gMEQ+hYzJ5QQ+kb7U/G/xRw8tK2euxM5XxvO6v7nOqnkl4ecv/CeGf39j2M/6llMEjAiGAbeU8XsY44Nhsyg+TL+LhEGPC/nvcb4IwYpDVv8JnfUfgjRTTuxcE+QFMIpd9LjIKoRFCCjBmGj3m/dGy12T86VViLWO+wzYH92JdEQDuTdiO4DewGQ7U0o5l9NBmL4JUIAzLGAI6wc8CCIy2cyvumXNE0+Iq05x4NCKr8qAtLHtnQ5BkcseWBeqzM3yqQ9YOmlVVDQ+xTPJRs5QJ+Bg==", "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-b95095beb82e8f6a046b3aafc7f4149a.pem",
Alternatively, you can test the connection from the Policies page (for Compliance or Log.ic):
- Navigate to the Policies page in the Compliance & Governance or Log.ic menus.
- Hover over the right of the row for a Notification Policy created in Step 2, and click Send All Alerts. This will send all existing alerts for the account to the SNS and, from there, to Slack.
In Slack, events will appear like this: