Customize Your Monitoring Configuration

After you are done with the onboarding procedure here, a default monitoring group is automatically set up for monitoring all Critical to Low severity changes in your infrastructure. 

Overview of Monitoring Groups

Monitoring group configuration will allow you to finely configure monitoring in Warden so that you can reduce noise and only receive alerts for the types of changes and threats that matter to your specific use cases and business. You can create multiple monitoring groups to monitor different types of alerts.

image7-1

image2-1

What you can configure:

1. Notification configuration 

You will be able to enable/disable receiving of the alerts through your notification channels (currently supporting Slack).

2. Scope of the monitoring group

Include/Exclude - Provider, Account, Region, User

You can limit the scope being monitored to a specific account, cloud provider or region so that alerts are only triggered on those conditions. This allows you to create different monitoring groups for different environments you want to monitor separately.

You can also exclude specific trusted users from the monitoring group, in which case all the activities from those users will be suppressed by default.

For example, Monitoring only for a production environment,  Monitoring activities outside of the Singapore region, Monitoring exclude CI/CD users.

3. Rule configuration

Configure which alerts will be triggered for this monitoring group, for example:

  • You can turn off the rules that have lower severity so that you can only focus on high and critical alerts. You will then no longer get alerts from these rules for this monitoring group. 
  • You can change the severity of each rule for each monitoring group based on your organization’s standards.

4. Multiple monitoring groups based on different teams’ needs

For example, Engineering leads want to be notified when there are high-risk infrastructure changes, while security teams want to focus on anomaly behaviours or cyber-attacks. Please refer to the examples below.

Configuring Monitoring Groups

Add a new monitoring group

Step 1: In the Monitoring Alerts page,  click [Monitoring Configuration] on the right up corner to go to the monitoring configuration page. 

image5-1

Step2: Click [CREATE NEW MONITORING GROUP] to open the new Monitoring Group configuration page.

image3-1Step 3: Configure your monitoring group details

image12-1

    • Define the monitoring group name for easy identification. (this will be displayed in alerts and filters).

          Example:

      • All-alerts
      • [Production]- Critical & High Severity Alerts
      • [Production]-High-risk infra changes
      • [Non-Singapore] All Activities

    Scope Configuration 

    • Add scope conditions: These are filters on what is being monitored in this group and allow users to restrict monitoring (and the alerts that will be generated) to a defined scope: currently supports including or excluding certain Account ID, Region, User and Provider.

      image18
    • Include Service Triggered Alerts: Enabling this setting will include all alerts triggered by either the cloud provider (ie auto-scaling) in addition to those triggered directly by actual users. You can cut noise by disabling it if you only care about user-triggered alerts.

    Notification Configuration 

    image13Enable the notification and add a new slack channel to get notified immediately. 

    If you disable the notification, you will not receive slack notifications, but you can still see the alerts on the Monitoring - Alerts page.

    Slack notification example:

    image5

    If your slack account has not been integrated to Warden yet, please go to integrations to connect your slack account. Read more.

    Rule Configuration

    • Click the to open the list of rules that can generate alerts

    image10

    • You can set the pre-defined severity and status of each rule for the current monitoring group.

    image11

    • Turn off the alerts for rules that are not relevant to your business. 

    image4

    After you have done all of the above, you will start receiving alerts based on your configured monitoring group.

    Examples

    Monitoring Group Configuration Example 1:

    Get notification of critical and high severity alerts only for the production environment

    Here is an example for monitoring group configuration.

    • You want all alerts to be shown on the monitoring alerts page,  but don’t want to get the slack notification for each alert.
    • You want to get notified immediately via slack channel only for the higher risk alerts from the production environment.

    In this case, we can create two monitoring groups.

      • All Alerts
      • [Priority] - Prod & Staging Med to Crit Alerts

    image10

     

    Monitoring Group 1 - All Alerts: Create a monitoring group with the default configuration.

    image12

     

    Monitoring Group 2 - [Priority] - Prod & Staging Med to Crit Alerts

    1) Create a monitoring group
    • Scope: Add condition, select Include(=), select ‘Account ID’ = {production account ID}
    • Enable ‘Include Service Triggered Events’
    • Notifications Configuration: Enable Notification, Send Notifications to: {your slack channel name: warden-threat-detection-alerts}
      (Create a new slack channel here directly if you need a new channel for the alerts.)

    image8

    2) Rule Configuration

    Turn off all the rules with severity ‘INFO’, ‘LOW’, ‘MED’, and only keep the rules with critical and high severity remain enabled.

    image4

     

    All done! Now let’s see how it works in real alerts.

    • Monitoring - Alerts

    image1

    image2

    • Slack Notifications

    image5

    • Alert Details

    image3

    Example 2: 

    Get separate alerts for different cloud regions

    If your organization is managing the environment by different cloud regions or has different monitoring thresholds in different cloud regions, you could create multiple monitoring groups. For each group, select the corresponding region in scope configuration.

    Example:

    For South East Regions

    • Monitoring Group Name: ap-southeast-alerts
    • Scope: Include Region ap-southeast-1
    • Notification Configuration: Send notification to slack channel: ap-southeast-alerts

    For other regions

    • Monitoring Group Name: Others-alerts
    • Scope: Exclude Region ap-southeast-1
    • Notification Configuration: Send notification to slack channel: other-regions-alerts