AlertOps and Contrast Security

AlertOps’ alert management system can be integrated with Contrast Security to receive and respond to all (predefined status mappings) alerts through email, SMS, push notification or phone alerts. AlertOps would ensure that the alert/job status would reach the appropriate team by using proper workflows, escalation policies and schedules. Based on your ruleset, incidents can be automatically opened and closed, depending on what kind of alert Contrast Security reports.

The above scenario and scope for integration is due to the fact that AlertOps has a very flexible and simple API/Webhook configuration feature that can be leveraged with Contrast Security's alert and notification capabilities.

AlertOps - Inbound Integration

We can define rulesets in AlertOps so that Contrast Security can send out alerts to the AlertOps platform. AlertOps would ensure based on these notifications received, that it would always reach out and assign to the correct person/team by utilizing its escalation policies, schedules, and workflow features.

AlertOps provides Inbound Integrations to integrate with numerous monitoring, chat and ITSM tools. You can configure an inbound integration for Contrast Security.

At a high level this is how the flow looks like, you define an API integration in the AlertOps platform by defining settings like Integration Name, Escalation rules, recipient users/groups. Once an integration is defined, a unique API URL is generated. This acts as webhook or the gateway through which notifications from Contrast Security reach AlertOps and thus an incident/alert is created correspondingly. The API can be defined with various settings like URL mappings, filters, escalations etc. as required. Contrast Security has to be defined with a webhook integration.

Configure Inbound Integration in AlertOps 

1. Under 'Configuration' select 'Integrations'. From the Inbound Integration section, select 'API' from the dropdown and then click the 'Add API' button.
2. Select Contrast Security from the list of available integration options.
3. Once you selected the integration, you can then specify basic settings like the integration name, escalation policy, names of the recipients/groups for which the alerts must be assigned to.
4. Once you click save, the API Integration will be created, and you will be given a unique URL which acts as the access point and needs to be configured at the source (in this case Contrast Security), to send alerts. You can find the integration you just created, and you can give advanced settings and define various configurations for the alerts to be received and processed. For example, you can define when to open and close alerts based on the payload obtained from the API call, filters etc.
5. Make a note of the API URL, which will be used in Contrast Security, so it calls a HTTP POST request to this URL with the body in JSON format containing the alert specific information. AlertOps automatically creates an alert when the status variable (Status) contains 'Suspicious/Confirmed/Reported'. The incident will also be closed automatically when the status 'Fixed/Remediated' is received from Contrast Security.
6. You can similarly define URL mappings as you want, owing to the flexibility provided by AlertOps’ OpenAPI/Plug-and-Play integrations. You can provide other filters and match with regex expressions as well. You can also test the generated URL with the sample data provided.

Configure Integration in Contrast Security 

1. In your Contrast Security portal, under User Settings, select Organization Settings > Integrations
2. Select 'Connect' for Generic Webhook
3. Give the webhook a name, under URL, paste the AlertOps Inbound Integration API URL.
4. You can select the application you want to filter.
5. In the Payload field paste the following,

{
"EventType":"$EventType",
"Message":"$Message",
"OrganizationName":"$OrganizationName",
"OrganizationId":"$OrganizationId",
"ApplicationContextPath":"$ApplicationContextPath",
"ApplicationImportance":"$ApplicationImportance",
"ApplicationId":"$ApplicationId",
"ApplicationName":"$ApplicationName",
"ApplicationImportanceDescription":"$ApplicationImportanceDescription",
"ServerId":"$ServerId",
"ServerName":"$ServerName",
"Severity":"$Severity",
"Status":"$Status",
"TraceId":"$TraceId",
"VulnerabilityRule":"$VulnerabilityRule",
"VulnerabilityRuleName":"$VulnerabilityRuleName",
"VulnerabilityRuleTitle":"$VulnerabilityRuleTitle",
"VulnerabilitySubStatus":"$VulnerabilitySubStatus",
"VulnerabilityTitle":"$VulnerabilityTitle",
"VulnerabilityUuid":"$VulnerabilityUuid",
"VulnerabilityImpact":"$VulnerabilityImpact",
"VulnerabilityLastSeen":"$VulnerabilityLastTimeSeen"
}

 6. You can Test the URL to see if the webhook went through. Save.

Thats it! You have configured a webhook integration. Any alert will be sent to AlertOps for incident management.

Message logs, alert specific information can be viewed in the “Inbound Log” section in AlertOps Dashboard. Alerts can be viewed in the ‘Alerts’ tab as well.

Alert Triggering Information

AlertOps will automatically create an incident when a new alert is received from Contrast Security when the Status contains "Suspicious/Confirmed/Reported"

If an alert with status "Suspicious/Confirmed/Reported" matches an existing Open Alert, AlertOps will recognize the new alert as a duplicate and ignore the alert.

The alert will be recorded in the Inbound Messages table as “Mapped Appended.”

AlertOps will automatically close the same incident when an alert with Status contains "Fixed/Remediated".

References

AlertOps Integration Guides

General Restful API Guide

Contrast Security Docs