Writing a good cloud security notification
If you, like me, have worked on a security team with monitoring configured — You will have had a notification popup on Slack, via Email or even the dreaded 3:00am Pagerduty notification, where you have looked at the message for several minutes before understanding what the problem actually is and what you should do about it!
These notifications are a reminder of the fact that we, as security professionals, should be writing good, consise but informative security notifications.
For all of the following examples (the good as well as the bad) we are going to be using the same use case, not necessarily the worst alarm you could receive (I’m looking at you.. “AWS root login detected”), but still one that’s important and just as much as an indicator of compromise— “VPC Flowlogs deleted for a production VPC”.
Bad examples of Security notifications
So, lets start by painting a scene — It’s 3:05am on a Wednesday morning and you get woken up a Pagerduty notification due to the VPC flowlogs deleted event.
Lets look at some bad examples of ways you could find out this information.. For the bad examples we’ll just focus on the subject line for the alert as this will be the main eye-grabber.
[alert] VPC Flowlogs deleted
