Notification Delivery

A notification delivery can be thought of as the alerting mechanism used to send the alerts based on the notification filter settings. Today, we support all the cool kids using these days: Email, Jira, Slack, Teams, and Webhooks.

Some important considerations - Email DKIM

For email, our domain ctci.ai is hosted in Google, so we use Google email, usually from notifications@ctci.ai, please add this to your allow list, and there can be emails sent from Campaign Monitor, which is also DKIM signed. If you don’t have a DKIM signed email from us, please feel free to delete it. If you could send the spoofed email to us at admin@ctci.ai, that would help us block other bad emails/threat actors.

An example

In Notification Groups https://ctci.atlassian.net/wiki/spaces/CTCIDOC/pages/325353473, we had an example where a Notification Group needed to be created with a Network Team name. They needed two of their filters going to two different places. This is where a Notification Delivery comes in.

They wanted the

Such as these filters:

1 Filter 1, "Internal Network Team" : vendor=”cisco”

with delivery to their Slack Channel “cisco_support.”

1 Filter 2, "External Supported Network Team" : vendor.str.startswith(”palo”)

with delivery as email to an external network support team email, example_support@somenetworksupport.com.

Some useful links:

  • To rock your filters like a Zen Master, go here.

Notification Delivery API

Please refer to swagger.ctci.ai for more details.

Notification Delivery within the CTCI Portal

Select the menu option, Notification Delivery.

Notification Group Menu Option

 

Figure 1, Notification Group Menu Option

The Notification Delivery icon is the ringing bell icon as we love the sound of the word tintinnabulation, which is the ringing of the bells. If you haven’t added a Notification Delivery, your page should look something like this, a message saying No Notification Deliveries yet, and a button to create a Notification Group. Please see the figure below:

Figure 2, Notification Delivery Create Page

Figure 2, Notification Delivery Create Page

The Notification Delivery Create page below has several fields.

 

Figure 3, Create a new Notification Delivery.

The Id is the internal reference to this Notification Delivery. The Save button is self-explanatory. The back button goes back to the list of Notification Deliveries.

Field Name

Details

Field Name

Details

Id

Ignore - internal reference; you can ignore

Notification Delivery Name

This is required and is the name you would like to give to the Notification Delivery.

Enabled

Whether this Notification Delivery is Enabled, it’s disabled by default.

Note

This is a multi-line field that you can leave a note for someone about this Notification Delivery. Putting who to contact, who owns this Notification Delivery, and other details could really help other people and new hires. Especially things like Slack, where when a person leaves, the permissions can go completely bat crazy.

Notification Delivery Expiry

Future feature: To expire this Notification Delivery after a certain amount of time has expired.

Company Name

This will be your Company Name by default if you don’t set it. If you manage Partners or other companies, you can select where this Notification Group gets created.

Notification Delivery Role

Future - this will allow you to have different people editing this Notification Delivery.

Notification Type

 

Email

 

Figure 3a, Email Settings

As explanatory as putting your seat belt on in the plane, just put it in the email to receive your notifications. Make sure notifications@ctci.ai is allowed.

Slack

Figure 3b, Slack Settings

With Slack, the channel name is optional. This is if you want it to go to a different channel than the webhook but has the same permissions. Most users will use the webhook link; however, we supported the channel name supported in their API.

Teams

Figure 3b, Teams Settings

With teams, there is only a webhook. Unlike Slack, you cannot override the channel to which you send the messages.

 

Jira

Figure 3b, Jira Settings

This is the Jira setting; every value is compulsory. We support Jira Cloud and external Internet-facing Jiras. If you have on-premise, then there is an easy way to do this by scheduling a python program to get the list and create the tickets in Jira. (See section below for how to setup Jira to handle CEWL notification)

Webhook

Future - Backend is working. If you want to do Webhook, we can set this up for you in the backend.

 

Jira and CEWL Automation

Jira is great at workflow, CEWL is great at what threat actors are doing, we think they make a great match.

Setting up Jira

Go to project settings and click on the automation menu option.

Create an incoming webhook, like below:

Creating an Automation

Have it set for no issues from webhook, it doesn’t make sense that we update CVE entries in CEWL.

We suggest you create a CVE issue type ( call it whatever makes sense for you), then have custom fields that cover what is in the data sent. We support all the fields show in the CEWL entries field descriptions.

Then on the incoming webhook do a create new Issue.

The Create new issue example settings

You want to map the data fields coming into the fields created with Jira. How to do this is to use the {{webhookData.<fieldname>}} in the mapping. So to set Vendor to vendor from the webhook request, you would put in the field definition, {{webhookData.vendor}}.

We send all the fields for a Jira ticket that is created for every new CEWL entry. For sending all notifications at a time this is not supported.

 

How to Edit a Notification Delivery

Go to the list of Notification Deliveries by clicking on the Notification Delivery Button, as mentioned in Figure 1.

Click on one of the entries.

Figure 4, Select a Notification Delivery to Show / Edit

The next page shown will be the show page. It shows all the details; to Edit, you must select the edit page. We do this because if people have the audit role, they can only show and not edit, and by default, once the filter is set, it should be mainly viewing it then editing it. This will reduce accident changes.

Within the list view of Notification Deliveries, for fields that have the “…”, you can read the whole value by mousing over the value.

Becomes

Figure 4a, Mouse over long fields to read the whole field

Figure 5, Edit a Notification Delivery

The Notification Delivery will have a dropdown where once you have created Notification Deliveries, you can make them the default for your Notification Delivery.

Testing a Notification Delivery

Once you have created a Notification Delivery, you can now, in the list view, select the Notification Delivery, and at show mode, you can click on Test Notification Delivery.

Note on Testing Notification Delivery

The success and failure message is only if it could be sent. So if the email is valid, it is only checking the first hop of sending the email, not on the delivery; the same goes for Slack, Teams, Webhook, and Jira.

If you have selected One message per item, we will send multiple messages. Otherwise, the test Notification Delivery will send a few of the last CVEs as one formatted message.

Formatting a Notification Delivery

Slack, Teams, and such support really cool formatting - blows my mind, how cool you can make stuff nowadays - I still love the lynx browser. If you really want a template with field substitution, then let us know. Our API has template passed, but there is no way to set it today.

Deleting a Notification Delivery

Two ways to do it. Within the edit page, see the icon above in Figure 5, Choosing to Notification Delivery, and in the list view, select the checkbox and scroll all the way right, and you will see a Delete icon. See Figure 6 below.

Figure 6, Deleting A Notification Delivery