This guide describes the procedure for setting up an integration between a ZeroNorth scan Target and Slack . Integrating ZeroNorth with Slack provides automatic notifications of Issues and Remediations to targeted audiences:
- ZeroNorth detects a new Issue or a new Remediation event for a scan Target
- ZeroNorth send the details to a pre-specified Slack Channel as a JSON payload via Slack’s REST API.
- Slack receives the event and displays the information in the specified channel.
- Additionally, based on how you have configured the target Slack channel, further actions are possible.
Features and Benefits:
- ZeroNorth sends alerts to Slack only for new events, avoiding redundant alerts.
- ZeroNorth also sends to Slack the Remediation Events for a prior Issue.
- Integration is via a single REST URL. ZeroNorth takes care of embedding the details in the JSON message.
- Once the event is in Slack, you have access to all of the outgoing integrations that Slack provides.
Prerequisites
The steps described in this article assume that you have:
- A Slack account
- ZeroNorth platform license and credentials
Setup Procedure
1) Create a New Custom Integration in Slack
Navigate https://[account].slack.com/apps/ > Manage > Custom Integrations > Incoming Webhooks :
Click on Add Configuration . In the subsequent screen, select a Channel (#…) or a User (@…) to direct ZeroNorth notifications to:
Once the target channel/user has been selected, click on Add Incoming Webhooks Integration :
2) Obtain the Webhook URL
Upon successful activation of the new Custom Integration, you will see a screen that displays your Webhook URL :
Additionally, the target Slack channel will show a following confirmation message like this:
Note : The generated URL is associated with the channel or the user specified in the previous step. In the next step, it will be possible to override the target channel/user when inserting the URL into a ZeroNorth Policy.
3) Insert the Slack Webhook URL into your scan Target
Sign in to your ZeroNorth UI account:
- Go to znOPS > Targets .
- To create a new Target with Slack integration, click on Add Target . Follow the instructions in this article for defining a new Target, and then continue below.
- To add Slack integration to an existing Target, click on the name of the Target name to bring up the details for edit.
In the Target edit screen, go to the Notifications section near the bottom:
Check the Slack checkbox and then enter your Webhook URL into the text field. The channel/user field is optional. Click Save .
Things to Keep in Mind
- For a new Target, alerts will be sent when Issues are detected on the first run.
- For an existing Target, alerts will be sent only for net new Issues or Remediation events.
- If you have Rulesets setup to ignore Issues or Remediation events, no alert is sent to Slack for the affected events.