Posture Control (ZPC)
Adding Alert Rules
You can configure custom alert rules and set up notifications for specific security policy violations that occur in your cloud resources and IaC templates. ZPC triggers alerts in the event of any security policy violations and sends email notifications to recipients to take the necessary action.
You can integrate ZPC with third-party tools (ITSM, cloud storage services, and ChatOps), and send alert notifications and alert data to these tools for incident management. To learn more, see About Third-Party Integrations.
Prerequisites
You must first onboard your cloud accounts or complete the IaC integration before adding cloud or IaC alert rules.
Adding an Alert Rule
To add an alert rule:
- In the left-side navigation, select Alerts.
- On the Alerts page, click the Notifications tab.
- Click Create Rule.
- Under General Information:
- Alert Rule Name: Enter a unique name for the alert rule.
- Alert Type: Select Cloud or IaC.
- Alert Rule Status: Click the toggle to enable the status. Email notifications are sent every time the alert is triggered.
- Click Next.
- Under Scope, configure the details for:
- Cloud Alert
Select any of the following scopes:
- Business Units: Select the business units that must be associated with this alert rule. To learn more, see About Business Units.
- Clouds: Select the cloud service provider (AWS, Azure, or GCP).
- Accounts: Select the cloud accounts that must be included in this alert rule.
- Regions: Select the regions that must be included in this alert rule.
- Select Policy: Select the security policies that must be included in this the alert rule. Use the Compliance, Severity, Threat Category, or Policy Type filter to search for policies.
- IaC Alert
Select any of the following scopes:
- Scan Plugin: Select the IaC plugins for which alert notifications must be sent.
- Repository: Select the IaC repositories for which the alert notifications must be sent.
- Select Policy: Select the security policies for which the alert notifications must be sent. Use the Compliance, Severity, or Policy Type filter to search for specific policies.
- Cloud Alert
- Click Next.
- Under Notifications, configure the alert notification for any of the following:
- Email
Configure the following details:
- Frequency: Select the frequency (Daily or Weekly) of the notification.
- Send At: Select the time when the email must be sent to the recipient.
- Timezone: Select the time zone for the notification.
- Include detailed report: Select the checkbox to send the alert report as an email attachment.
- Recipients: Enter the email addresses of recipients.
- ITSM
Configure the following details:
- Select ServiceNow or JIRA.
- Include in alert payload: Select the data that must be included in the alert payload.
- Audit Procedure: Steps to audit the policy violation.
- Remediation: Steps to remediate the policy violation.
- Resource Metadata: The metadata of the asset or identity.
- Assignee: Enter the recipient's email ID.
- Send notifications for closed alerts: Select the checkbox to send notifications for closed alerts.
- Send notifications for resolved alerts: Select the checkbox to send notifications for resolved alerts.
- Cloud Storage
Configure the following details:
- Select the checkbox for the required cloud storage service, then select the integration account from the drop-down menu.
- Include in alert payload: Select the data that must be included in the alert payload.
- Audit Procedure: Steps to audit the policy violation.
- Remediation: Steps to remediate the policy violation.
- Resource Metadata: The metadata of the asset or identity.
- ChatOps
Select Slack, then select the required channels to which the alert notifications must be sent.
Close
- Click Next.
- Review the alert rule. Click the Edit icon if you want to change any value.
- Click Finish.
The newly added alert rule is displayed on the Notifications tab.