-
Notifications
You must be signed in to change notification settings - Fork 84
feat(notification integration): 📝 notification integration doc #767
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
ziracmo
wants to merge
7
commits into
main
Choose a base branch
from
notification-integration-doc
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
a472b25
feat(notification integration): :memo: notification integration doc
ziracmo 946c666
Add webhook documentation
AlteredCoder 5521bdc
Merge branch 'main' into notification-integration-doc
ziracmo 1f5f899
fix com
AlteredCoder d080b2a
Add webhook events doc
AlteredCoder 53eebdb
Fix webhook event example
AlteredCoder 7d828b9
up
AlteredCoder File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+105 KB
crowdsec-docs/static/img/console/notification_integrations/activate-webhook.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+84.4 KB
crowdsec-docs/static/img/console/notification_integrations/configure-slack.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+56.1 KB
...ocs/static/img/console/notification_integrations/engine-condition-selection.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+56.6 KB
crowdsec-docs/static/img/console/notification_integrations/events-selection.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+113 KB
...ec-docs/static/img/console/notification_integrations/notification-rule-list.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+19 KB
crowdsec-docs/static/img/console/notification_integrations/rule-information.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+44.2 KB
...c-docs/static/img/console/notification_integrations/slack-configuration-tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+35.8 KB
...cs/static/img/console/notification_integrations/slack-destination-selection.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+46.1 KB
crowdsec-docs/static/img/console/notification_integrations/webhook-destination.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+109 KB
...dsec-docs/static/img/console/notification_integrations/webhook-overview-tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
65 changes: 65 additions & 0 deletions
65
crowdsec-docs/unversioned/console/notification_integrations/overview.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| --- | ||
| id: overview | ||
| title: Overview | ||
| --- | ||
|
|
||
| Discover all the available notification integrations in CrowdSec. Each integration is designed to help you receive alerts and notifications to various platforms, ensuring you stay informed about security events and incidents. Available [here](https://app.crowdsec.net/settings/integrations). | ||
|
|
||
| > 🌟 Premium feature. CrowdSec let you be linked to any notification integration. However, you need to be a ⭐ Premium organization to unlock the full potential of the notification integrations. | ||
|
|
||
| ## Available Integrations | ||
|
|
||
| - [Slack](/u/console/notification_integrations/slack) | ||
| - [Webhook](/u/console/notification_integrations/webhook) | ||
| - Coming soon: Discord | ||
| - Coming soon: Microsoft Teams | ||
|
|
||
| ## How to use notification integrations | ||
|
|
||
| 1. **Link your integration**: Navigate to the **Settings > Integrations** section in the CrowdSec Console and select the integration you want to link. Follow the instructions provided for each integration. | ||
| 2. [**Create a notification rule**](/u/console/notification_integrations/rule): Once your integration is linked, navigate to the **Rules** tab of the integration page. Here, you can create notification rules based on specific events or conditions. ([See the documentation](/u/console/notification_integrations/rule) for more details on creating rules.) | ||
|
|
||
| ## Available Events | ||
|
|
||
| The following events are available for notification integrations: | ||
|
|
||
| **Threat Hunting** | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| Is Attacking | An attack has been detected from your Security Engine. | | ||
| Is Attacked | Your organization is being attacked. | | ||
| Alert Triggered | An alert has been triggered. | | ||
|
|
||
|
|
||
|
|
||
| **Stack - Management** | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| Security Engine Enrolled | A new Security Engine has been enrolled. | | ||
| Security Engine Unenrolled | A Security Engine has been unenrolled. | | ||
| Security Engine Long Pending Enroll | A Security Engine has been pending for a long time. | | ||
|
|
||
| **Stack - Monitoring** | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| Firewall Integration Offline | A firewall integration is offline. | | ||
| Log Processor No Alert | A log processor has not sent any alerts for 48h. | | ||
| Log Processor Offline | A log processor is offline. | | ||
| Remediation Component Integration Offline | A remediation component integration is offline. | | ||
| Remediation Component Offline | A remediation component is offline. | | ||
| CrowdSec Stack Component Outdated | A CrowdSec stack component is outdated (Security Engine, Log Processor, Remediation component). | | ||
| Security Engine No Alerts | A Security Engine has not sent any alerts for 48h. | | ||
| Security Engine Offline | A Security Engine is offline. | | ||
|
|
||
| **Admin** | ||
|
|
||
| | Name | Description | | ||
| |------|-------------| | ||
| API Key Expired | An API key has expired. | | ||
| Payment Failed | A payment has failed. | | ||
|
|
||
|
|
||
| ## Examples |
48 changes: 48 additions & 0 deletions
48
crowdsec-docs/unversioned/console/notification_integrations/rule.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| --- | ||
| id: rule | ||
| title: Notification rule | ||
| --- | ||
|
|
||
| > 🌟 Premium feature. | ||
|
|
||
| Notification rules allow you to customize the alerts and notifications you receive from your CrowdSec Console. | ||
| By setting up specific rules, you can ensure that you are only notified about events that are relevant to your organization. | ||
| This guide will walk you through the process of creating a notification rule for your linked integration. | ||
|
|
||
| > You need at least one integration linked to your CrowdSec Console to create a notification rule. | ||
| > If you haven't linked an integration yet, please refer to the [Integrations Overview](/u/console/notification_integrations/overview) for more information on how to do so. | ||
|
|
||
| ## Create a notification rule | ||
|
|
||
| 1. In the [CrowdSec Console](https://app.crowdsec.net), navigate to **Settings > Notifications** or **Settings > Integrations > (integration of your choice)** and click on add rule. | ||
|
|
||
|  | ||
|
|
||
| 2. Select the events you want to be notified about. You can only select one of the three category at the time (Threat Hunting, Stack or Admin). Each of these categories contains a list of [events](/notification_integrations/overview.mdx) that you can choose from. (Threat hunting category let you select only one event due to its conditions variance). | ||
|
|
||
|  | ||
|
|
||
| 3. (Optional) Select a conditions. **Stack** category allows you to filter on Security Engine(s). **Threat Hunting > Alert trigger event** allows you to select specific scenarios. | ||
|
|
||
| **Engine condition:** | ||
|
|
||
|  | ||
|
|
||
| **Installed scenarios:** | ||
|
|
||
| {/*  */} | ||
|
|
||
| 4. Select destination, which is the integration you want to use for this rule. You can select multiple destination for one rule. Destination input varies depending on the integration you selected. For example, Slack integration let you select a channel, while Webhook integration let you select a URL. | ||
|
|
||
|  | ||
|
|
||
| 5. Name and describe your rule. | ||
|
|
||
|  | ||
|
|
||
| 6. Click on **Create** to save your rule. | ||
|
|
||
| 7. Your rule will now appear in the list of notification rules for your integration. You can edit or delete it at any time. | ||
|
|
||
|  | ||
|
|
35 changes: 35 additions & 0 deletions
35
crowdsec-docs/unversioned/console/notification_integrations/slack.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| --- | ||
| id: slack | ||
| title: Slack | ||
| --- | ||
|
|
||
|
|
||
| ## Link your workspace | ||
|
|
||
| By default Slack let any workspace member add application to it. If you want to learn more about it you can check [this Slack article](https://slack.com/intl/en-gb/help/articles/202035138-Add-apps-to-your-Slack-workspace). | ||
|
|
||
| 1. In the [CrowdSec Console](https://app.crowdsec.net), navigate to **Settings > Integrations** and then select **Configure** in the Slack row. | ||
|
|
||
|  | ||
|
|
||
| 2. Select the Slack workspace you want to link to your CrowdSec Console using the dropdown menu on top-tight of the page. Then select **Allow**. Repeat the process if you want to link more workspace. | ||
|
|
||
| 3. You should be redirected to the Slack integration page. You can now create a notification rule by navigating to the **Rules** tab. | ||
|
|
||
|  | ||
|
|
||
| Your Slack integration is now linked to your CrowdSec Console. If you want to link the integration to a private channel, invite it directly from the Slack channel. | ||
|
|
||
| ## Create a notification rule | ||
|
|
||
| 1. In the [CrowdSec Console](https://app.crowdsec.net), navigate to **Settings > Integrations > Slack** go to the Rules tab and click on **Add rule**. | ||
|
|
||
| 2. Follow the steps in the [Create a notification rule](/u/console/notification_integrations/rule) documentation to create your rule. | ||
|
|
||
| ## Troubleshooting | ||
|
|
||
| ### Rate Limiting Error | ||
|
|
||
| If you're attempting to create or update a notification rule and are receiving the following error: "Slack rate limit exceeded.", you should enter channel ID instead of the channel Name and wait for a minute. If your workspace has a lot of channels, we advise your to directly add the channel ID next time. | ||
|
|
||
| To find a channel's ID in Slack click the name of the channel at the top of the application and the channel ID will be displayed at the bottom of the modal. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to add simlple overview sentence at the very beginning to make the pl understand how it works overall and make them intuite what configuration and rules mean. (could be good in general overview too)
--- example but let's work on phrasing a bit ---
Adding an integration will Create an integration configuration specific to your slack workspace.
Then you can add rules to select what event trigger notifications to what slack channel.
---- in just 2 sentence we then clarify that integration is global to the workspace and user should NOT expect to select a channel straight away, also we mention "configuration" and "rules" thus explaining the other tabs of the section
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rr404 What do you think of:
"Connecting an integration will create a configuration specific to your Slack workspace.
You can then define rules to control which events trigger notifications and which Slack channel they’re sent to."