How-to Guide: Resmo Notification Rules
Table of contents
In cybersecurity, there's no place for a delay or alert fatigue. This is because even the minor vulnerabilities that go unnoticed for some time can be convenient enough for a threat actor to exploit. Alert fatigue puts you at just as much risk, causing critical issues to be left unaddressed in time.
Resmo helps you get notified of the significant Cloud and SaaS security gaps that immediately matter to you in real-time. Let's explore notification rules and how your business can benefit from them.
What is a notification rule on Resmo?
Notification rules are policies that notify you of violations based on specific criteria. Resmo delivers these notifications via the notification channels of your choice, including email, webhook, PagerDuty, Amazon SNS, and more.
For example, suppose you set up a notification rule to receive alerts when there's a high or critical level rule violation regarding your AWS resources. In that case, Resmo alerts you via the selected channel. This way, responsible teams can get alerted and accelerate vulnerability response.
What's the difference between rules and notification rules?
Rules on Resmo automate asset security audits without alerting you through notification channels. Rules display detailed information such as activity, suppression, and remediation only on your Rules page.
On the other hand, notification rules immediately send out notifications when a rule’s status changes. Notification rules are based upon rules; therefore, you set certain criteria like integrations and severities to specify which rules to get notified on when their status changes.
Common use cases for notification rules
1. Faster vulnerability response and remediation
Automating cybersecurity audits from the beginning of production to the development, staging, and throughout the product life cycle is a must for modern engineering and security teams. The managed and custom rules on Resmo continuously evaluate your cloud and SaaS resources' validity. If any of your assessed resources returns an anomaly, you can identify it on your Rules page.
To accelerate vulnerability response times further, your team can set up notifications for critical rules. This way, when a set of rules that matches the criteria is violated, Resmo will immediately send an alert to your selected channel without waiting for long cycles to send a notification. Then, responsible teams can look into the alerts and prioritize remediation.
2. Get alerts only on what matters
Not all policies/rules are equal: some are naturally more critical than others. Moreover, priority for each can depend on your business needs. Therefore, it's a best practice to set up alerts for only critical or high-level severity rules and help teams focus on what really matters—no alert fatigue; more effective security prioritization.
i.e., if you want to get notified of critical security issues on the cloud, you can easily map that out using notif rules.
3. Different channels for different criteria
Each notification rule can have one or more notification channels. One tip you can use is assigning channels to notification rules based on logic. Here's what I mean. Each channel is closer to a specific team or authorized persons. Let's go over some examples.
Slack: Slack channels are typically shared with related team members. When you set up Slack as a notification channel for a certain rule, all members of that configured channel will be notified of a rule breach.
- One plus side is that the Slack application is often on for everyone during office hours. So, it has a higher chance of instant notification and being noticed.
- You can use Slack for more general issues that address a team.
Email: Unlike other channels, email takes longer to get noticed and does not apply to all team members. Therefore, the best use-case for it would be notification rules that concern administrator roles.
For example, a startup product manager can choose to get notified when a newly registered employee's email lacks 2FA.
Opsgenie: When there's a rule violation that concerns dev and ops teams, the ideal notification channel would be Opsgenie. Example rule: Amazon S3 Buckets must be encrypted with KMS.
You might also like our article on the Common Amazon S3 Bucket Misconfigurations.
The anatomy of a notification rule
- Filters, how you define when to get a notification
- Notification channels, where you get notified of
Filtering your notification rules
Each rule has a definitive severity level and integration to begin with. All filters can be used as criteria for more customized notification rules. These are as the following:
Tags: There are existing tags and custom ones that you can create when building a customized rule on Resmo. You can add all tags or select a set of tags for filtering which rules to get notified of.
Severity: Each rule on Resmo must have a severity level. These severity levels can be used to define your notification rules. For example, a notification rule can alert you when there's a critical level violation.
Integrations: Notification rules can be limited to specified integrations. For example, one notification channel can be used to alert on AWS rule breaches via Amazon SNS. In contrast, less-priority ones, such as Google Workspace best practice violations, can be sent via Slack. (All depending on your priority levels.)
Resource Groups: Resource groups are logically classified sets of assets. You can use them to group your ever-increasing cyber assets. In terms of notification rules, they make it easy to specify and customize your rule. Common use cases include:
- Environments like staging and production
- Resource types
- Tags on the integrations
Notifications delivered to your favorite channels
You can assign more than one notification channel to your notification rules. Notification channels are also customizable in themselves. For example, in order to set up an Opsgenie notification channel, you need to map Resmo severity levels to Opsgenie priority levels. The current list of notification channels is as the following:
- Amazon SNS
Create a notification rule step-by-step
Let's go over the steps of creating a notification rule for further demonstration.
Step 1: Log in to your Resmo account and navigate Settings>Notification Rules.
Step 2: Click the Add Notification Rule button.
Step 3: Give a descriptive name to your notification rule.
Step 4: Now, time to set up the filters. Notifications will be limited to the rules that fit your filters here.
Step 5: Once you set up the filters, select one or more notification channels from the last field.
- Mind that some channels must be configured first before showing up here.
- To set up notification channels, head on to Settings>Notification Channels.
Step 6: Hit the Create button, and it's all done! Now, you can view your notification rule from the notification rules page.
Ready to try?
We have walked you through the basics of notification rules. Now, you're all set to try and see how they work. If you still don't have a Resmo account, you can sign up now with a free trial. For more instructions on Resmo, visit the developer's documentation.
Have you seen our intro video yet? Take a quick look. P.S. We'll be uploading more videos soon; subscribe to stay tuned.