Setting Up Your First Monitoring Group

After you are done with the onboarding procedure here, you can start to configure the Monitoring Group.

Overview of Monitoring Groups

Monitoring group configuration will allow you to configure Threat Detection to your needs and only alert you for the types of changes and threats that you care about. You can create multiple monitoring groups to monitor different types of alerts.

What you can configure:

1. Scope of the monitoring group

You can limit the scope being monitored to a specific account or region so that alerts are only triggered for those accounts/regions. This allows you to create different monitoring groups for different environments you want to monitor separately. 

For example Production environment monitoring group,  Singapore region monitoring group.

2. Notification configuration 

You will be able to enable/disable receiving of the alerts through your notification channels (currently supporting Slack).

3. Rule configuration

Configure which alerts will be triggered for this monitoring group, for example:

  • You can turn off the rules that have lower severity so that you can only focus on high and critical alerts. You will then no longer get alerts from these rules for this monitoring group. 
  • You can change the severity of each rule for each monitoring group based on your organization’s standards.

Configuring Monitoring Groups

Setting up monitoring groups

Step 1: Go to settings -> Monitoring Group Configuration, click [CREATE NEW MONITORING GROUP] to open the new Monitoring Group configuration page.

image7

Step 2: Configure your monitoring group details

image9

  • Define the monitoring group name for easy identification. (this will be displayed in alerts and filters).

      Example:

    • All-alerts
    • [Prod]-all alerts
    • [Prod]-Critical alerts

Scope Configuration 

  • Add scope conditions: These are filters on what is being monitored in this group and allows users to restrict monitoring (and the alerts that will be generated) to a defined scope: currently supports including or excluding certain Account IDs and Regions.
  • Include Service Triggered Alerts: Enabling this will include all alerts triggered by either the cloud provider (ie auto-scaling) or an actual user. You can cut noise by disabling it if you only care about the changes from the actual user.

Notification Configuration 

Enable the notification and add a new slack channel to get notified immediately. 

If you disable the notification, you will not receive slack notifications, but you can still see the alerts on Monitoring - Alerts page.

Slack notification example:

image5

If your slack account has not been integrated to Warden yet, please go to integrations to connect your slack account. Read more.

Rule Configuration

  • Click the scroll button to open the list of rules that can generate alerts

image10

  • You can set the pre-defined severity and status of each rule for the current monitoring group.

image11

  • Turn off the alerts of some rules that you don’t want to get alerts. 

image4

After you have done all of the above, you are fully onboarded to Warden Threat Detection. You will start receiving alerts based on your configured monitoring group.

Examples

Monitoring Group Configuration Example 1:

Get notification of critical and high severity alerts only for the production environment

Here is an example for monitoring group configuration.

  • You want all alerts to be shown on the monitoring alerts page,  but don’t want to get the slack notification for each alert.
  • You want to get notified immediately via slack channel only for the higher risk alerts from the production environment.

In this case, we can create two monitoring groups.

    • All Alerts
    • [Priority] - Prod & Staging Med to Crit Alerts

image10

 

Monitoring Group 1 - All Alerts: Create a monitoring group with the default configuration.

image12

 

Monitoring Group 2 - [Priority] - Prod & Staging Med to Crit Alerts

1) Create a monitoring group
  • Scope: Add condition, select Include(=), select ‘Account ID’ = {production account ID}
  • Enable ‘Include Service Triggered Events’
  • Notifications Configuration: Enable Notification, Send Notifications to: {your slack channel name: warden-threat-detection-alerts}
    (Create a new slack channel here directly if you need a new channel for the alerts.)

image8

2) Rule Configuration

Turn off all the rules with severity ‘INFO’, ‘LOW’, ‘MED’, and only keep the rules with critical and high severity remain enabled.

image4

 

All done! Now let’s see how it works in real alerts.

  • Monitoring - Alerts

image1

image2

  • Slack Notifications

image5

  • Alert Details

image3

Example 2: 

Get separate alerts for different cloud regions

If your organization is managing the environment by different cloud regions or has different monitoring thresholds in different cloud regions, you could create multiple monitoring groups. For each group, select the corresponding region in scope configuration.

Example:

For South East Regions

  • Monitoring Group Name: ap-southeast-alerts
  • Scope: Include Region ap-southeast-1
  • Notification Configuration: Send notification to slack channel: ap-southeast-alerts

For other regions

  • Monitoring Group Name: Others-alerts
  • Scope: Exclude Region ap-southeast-1
  • Notification Configuration: Send notification to slack channel: other-regions-alerts