AlertOps and SecurityScorecard

SecurityScorecard is an information security company that rates cybersecurity postures of corporate entities through completing scored analysis of cyber threat intelligence signals for the purposes of third party management and IT risk management.

AlertOps’ alert management system can be integrated with SecurityScorecard to receive and respond to all (predefined status mappings) alerts through email, SMS, push notification or phone alerts. AlertOps would ensure that the alert/job status would reach the appropriate team by using proper workflows, escalation policies and schedules. Based on your ruleset, incidents can be automatically opened and closed, depending on what finding SecurityScorecard reports.

The above scenario and scope for integration is due to the fact that AlertOps has a very flexible and simple API/Webhook configuration feature that can be leveraged with SecurityScorecard's analysis and alerting capabilities.

AlertOps - Inbound Integration

We can define rulesets in AlertOps so that SecurityScorecard can send out asset scan alerts to the AlertOps platform. AlertOps would ensure based on these notifications received, that it would always reach out and assign to the correct person/team by utilizing its escalation policies, schedules, and workflow features.

AlertOps provides Inbound Integrations to integrate with numerous monitoring, chat and ITSM tools. You can configure an inbound integration for SecurityScorecard.

At a high level this is how the flow looks like, you define an API integration in the AlertOps platform by defining settings like Integration Name, Escalation rules, recipient users/groups. Once an integration is defined, a unique API URL is generated. This acts as webhook or the gateway through which notifications from SecurityScorecard reach AlertOps and thus an incident/alert is created correspondingly. The API can be defined with various settings like URL mappings, filters, escalations etc. as required. SecurityScorecard has to configured with event webhook notifications.

Configure Inbound Integration in AlertOps

1. Navigate to Configuration àIntegrations àAdd API Integration à API Integration Detail page.
2. Select SecurityScorecard
3. Once you selected the integration, you can then specify basic settings like the integration name, escalation policy, names of the recipients/groups for which the alerts must be assigned to.
4. Once you click save, the API Integration will be created, and you will be given a unique URL which acts as the access point and needs to be configured at the source (in this case SecurityScorecard), to send alerts. You can find the integration you just created, and you can give advanced settings and define various configurations for the alerts to be received and processed. For example, you can define when to open and close alerts based on the payload obtained from the API call, filters etc.
5. Make a note of the API URL, which will be used in SecurityScorecard, so it calls a HTTP POST request to this URL with the body in JSON format containing the alert specific information. AlertOps automatically creates an alert when the status variable (context^trigger^type) contains 'grade_drop'. The incident will also be closed automatically when the status 'grade_rise' is received from SecurityScorecard. SecurityScorecard reports a number of events, and AlertOps can be customized to map to any event. For more information on different payloads in SecurityScorecard, refer to the link in the Reference section.
6. In Advanced Settings you can define URL mappings as you want in the Rules for Opening and Closing Alerts. You can provide other filters and match with regex expressions as well. You can also test the generated URL with the sample data provided.

Configure Integration in SecurityScorecard 

1. You will have define a rule to alert to a specific event in SecurityScorecard.
2. In the top left corner of your SecurityScorecard dashboard, select the Notifications 'bell' icon, select 'Settings'
3. Select 'Rules' in the left navigation pane.
4. Go to the Rule Builder, give the rule a name, select the event for which you would want the rule to execute (in this case it would be 'Grade Drops' for any scorecard). Add another event for 'Grade Rises'. 
5. Select action as 'Send web request to' and then paste the AlertOps Inbound Integration API URL on the text area to the right. Save.

Thats it! You have configured a webhook event notification for your scorecard. Any event alert will be sent to AlertOps for incident management.

Message logs, alert specific information can be viewed in the “Inbound Log” section in AlertOps Dashboard. Alerts can be viewed in the ‘Alerts’ tab as well.

Alert Triggering Information

AlertOps will automatically create an incident when a new alert is received from SecurityScorecard when the context^trigger^type contains "grade_drop".

If an alert with status "grade_drop" matches an existing Open Alert, AlertOps will recognize the new alert as a duplicate and ignore the alert.

The alert will be recorded in the Inbound Messages table as “Mapped Appended.”

AlertOps will automatically close the same incident when an alert with context^trigger^type contains "grade_rise".

References

AlertOps Integration Guides

General Restful API Guide

SecurityScorecard Webhook Event Payload Examples