How do I activate alerting and incident notifications?
After defining your configuration baseline and initial hardening to meet the baseline (i.e. incident count to 0), you have laid out exactly how you would like your systems to be configured. If anything happens on our systems that change that assumption, we want to be notified immediately and the incident escalated to the appropriate personnel. There are two choices for alerting:
- 1. E-mail alert which simply sends an incident notification to your email (or multiple email addresses) when an incident is created
- 2. Ticketing system integration (ITIL) that sends an email which raises a ticket and gets assigned to the right personnel.
A typical scenario when assumptions change is when a system administrator makes changes to Group Policies and is not aware that the change might impact the security posture of the organization. Alternatively, installing software on a device might alter the configuration without the person installing being aware. Those scenarios are common in practice and can be hard to detect without a system like Nanitor.
When a particular configuration check breaks, Nanitor creates an incident, which represents the deviation from the rule. It tracks the lifespan from the first rule deviation to the last point. For example, if a Group Policy causes a particular rule to be broken on 100 devices, the first breakage triggers incident creation and the subsequent ones get appended to it. The system provides good visibility over incidents and which devices still have unresolved incidents.
An incident gets resolved when the rule is no longer deviating from the baseline set previously on any of the associated devices. Another way to resolve the incident is to remove it from the baseline. The point is that the organization can make a well-informed decision how and when they resolve a particular incident.
The lifecycle of an incident prevents information and notification overflow as when a particular rule breaks on many devices simultaneously, only one incident gets created and only one notification sent.
The email representing the incident is thorough and describes exactly what rule has been broken and what the impact is. It includes a link to the Nanitor system, which can be clicked to get more detailed information.
Enable notifications per benchmark
For each benchmark you want to enable notifications for enable it in the "Benchmarks enabled" list. This provides the functionality to enable/disable notifications on per-benchmark basis. By default it is disabled.
Administration -> Settings (under Organization Management) -> Benchmarks -> Check the notification box under the benchmarks that you want the notifications to be active for. If this is not checked, no alerts will be sent.
To activate monitoring and configure e-mail recipients of notification reports:
There are four types of notification types that you can select from (one or more):
- 1. Benchmark incident created (i.e. for configuration related incidents)
- 2. Benchmark incident resolved
- 3. Patch incident created
- 4. Patch incident resolved
Enter the Administration Page -> Notifications, Click "Add recipient", add the email address and select “Benchmark Incident Created” and click “Save”: