跳转至

Sending alerts to external systems(向外部系统发送警报)

When monitors fire or resolve, alerts can be sent to subscribed users within Foundry as well as to services external to Foundry. Monitoring views currently support sending alerts to PagerDuty, Slack, and webhooks.

:::callout{theme="neutral"} All integrations are configured against a given severity level. Only alerts matching that severity will trigger integration. For example, a PagerDuty integration configured for the MEDIUM severity level will not be triggered when monitors fire at LOW or HIGH severities. :::

PagerDuty

This integration uses the PagerDuty V2 Events API ↗ and usually does not require a service user, emails, or custom allowlisting or egress configuration. A single integration maps all alerts of a given severity within a monitoring view to an Events V2 API integration defined within a PagerDuty service. Note that multiple integrations defined within a monitoring view can map to the same PagerDuty integration key.

Create an Events V2 API integration for your PagerDuty service

Configure a PagerDuty service with your desired escalation policy, urgency settings, and support hours. On the Integrations tab for the service, add a new integration. Select Events API V2 as the integration type and add the integration; Events API V2 can usually be found in the Most popular integrations section. Once the integration is added, selecting the gear symbol will show its details, including the Integration Key needed to create a new PagerDuty integration for your monitoring view.

Create a new PagerDuty integration for your monitoring view

Navigate to the Manage subscriptions tab for your monitoring view. From the PagerDuty Notifications section, select the plus sign (+) to create a new PagerDuty integration. You will need to specify a name for the integration, the integration key from when you created the Events V2 API integration, and the severity level. Repeat as needed for each desired severity level.

Enable PagerDuty for health checks

By default, the monitoring view will produce PagerDuty notifications for monitoring rule alerts and legacy health checks that belong to the check group that was upgraded/linked to the monitoring view. However, monitoring views created before the v1.860.0 release (February 2024) will not produce PagerDuty alerts by default and must be manually enabled.

To enable this feature, select the Enable PagerDuty for health checks checkbox. The following severity mappings will be used:

  • Info/low severity health checks will use the LOW severity integrations.
  • Moderate/medium severity health checks will use the MEDIUM severity integrations.
  • Critical/high severity health checks will use the HIGH severity integrations.

Slack

This integration can trigger Slack messages in a set of configured channels.

Create a Slack source

This integration requires a Slack source to be created in Data Connection. This source requires a bearer token to be configured. This bearer token should have the following scopes:

  • channels:join: Foundry will have the app join the requested channels automatically.
  • channels:read: This is used to list the available channels.
  • chat:write: This is used to send messages to the configured channels.
  • (optional) groups:read: Required for sending messages to private channels.

An example way to generate such a token in Slack is:

  1. Create a new Slack App in your workspace.
  2. Go to OAuth & Permissions.
  3. Add the above scopes as Bot Token Scopes.
  4. Install the Slack App in your workspace.
  5. Copy the Bot User OAuth Token.

See Slack API documentation ↗ for more details.

Create a Slack integration for your monitoring view

Navigate to the Manage subscriptions tab for your monitoring view; in the Slack section, use the plus sign (+) to create a new Slack integration. Select a configured Slack source. The Slack Channels field will then populate a list of available channels to which you can send alerts.

:::callout{theme="neutral"} To configure the integration with private channels, invite the Slack App to the private channel and ensure the groups:read scope has been granted. :::

Configure the severity level, and repeat as necessary for each additional desired severity level.

Configure exportable markings for resource name visibility

Slack notifications from monitoring views can display human-readable resource names (for example, "Production Sales Dataset") instead of resource identifiers (RIDs like ri.main.dataset.xyz789). This makes alerts easier to understand and helps you quickly assess urgency. Resource names are only shown when security controls permit; specifically, when all Markings on a resource are included in the Slack source's exportable markings configuration.

:::callout{theme="warning" title="Updated notification format"} Slack notification formats have changed to include resource names when security controls allow. If you have bots or automated parsers processing monitoring view notifications from Slack, you may need to update them to handle the new message format. :::

How resource name visibility works

When a monitor fires and sends an alert to Slack, Foundry checks whether the resource's name can be safely shared:

  • Resource name shown: All markings and organizations on the resource are included in the Slack source's exportable markings list.
  • RID shown instead: One or more markings or organizations on the resource are not in the exportable markings list.

For example, if a dataset named "Customer Revenue Data" has the Confidential marking in the Sales organization:

  • If both Confidential and Sales are configured as exportable, Slack shows "Customer Revenue Data".
  • If either is missing from exportable markings, Slack shows ri.foundry.main.dataset.abc123.

Configure exportable markings for your Slack source

To enable resource names in Slack notifications, a user with the Information Security Officer role must configure exportable markings:

  1. Navigate to the Data Connection application.
  2. Select the Slack source used for monitoring view notifications.
  3. Select Connection settings and navigate to the Export configuration tab.
  4. Toggle on Enable exports to this source.
  5. Add the Markings and organizations that may appear in Slack messages.
  6. You must add both security markings and organization markings.
  7. You must have unmarking permission on each marking or organization you add.
  8. Select Save to apply the configuration.

Which markings to add

Consider adding exportable markings for:

  • Markings on datasets and streams monitored by your monitoring views
  • Organization markings associated with the projects you are monitoring
  • Any markings that appear on resources you want to see friendly names for in Slack

You can start with less restrictive markings and add more restrictive ones as needed. Remember that if any marking on a resource is not in the exportable list, the RID will be shown instead of the name.

:::callout{theme="neutral"} The Information Security Officer is a default role in Foundry. Users can be granted this role in Control Panel under Enrollment permissions. For more details on how exportable markings work with Data Connection, review the exports documentation. :::

Webhooks

This integration can trigger Webhooks configured in Data Connection. Refer to the webhooks documentation for how to setup a webhook. To use a webhook integration, the webhook must have a string input parameter known as the Message parameter. This will be filled in with the contents of the notification. The contents are not currently customizable.

Create a new Webhook integration for your monitoring view

Navigate to the Manage subscriptions tab for your monitoring view; in the Webhooks section, use the plus sign (+) to create a new webhook integration. You will need to first select a webhook before selecting the Message parameter on that webhook and the severity level. Repeat as needed for each desired severity level.


中文翻译

向外部系统发送警报

当监控规则触发或解除时,警报可以发送给 Foundry 内的订阅用户,也可以发送给 Foundry 外部的服务。监控视图目前支持向 PagerDutySlackWebhooks 发送警报。

:::callout{theme="neutral"} 所有集成均针对特定严重级别进行配置。只有匹配该严重级别的警报才会触发集成。例如,为 MEDIUM 严重级别配置的 PagerDuty 集成,在监控规则以 LOWHIGH 严重级别触发时不会生效。 :::

PagerDuty

此集成使用 PagerDuty V2 Events API ↗,通常不需要服务用户、电子邮件或自定义白名单/出口配置。单个集成将监控视图内特定严重级别的所有警报映射到 PagerDuty 服务中定义的 Events V2 API 集成。请注意,监控视图内定义的多个集成可以映射到同一个 PagerDuty 集成密钥。

为您的 PagerDuty 服务创建 Events V2 API 集成

使用您期望的升级策略、紧急程度设置和支持时间配置 PagerDuty 服务。在服务的 Integrations 选项卡上,添加新的集成。选择 Events API V2 作为集成类型并添加该集成;Events API V2 通常可以在 Most popular integrations 部分找到。添加集成后,点击齿轮图标将显示其详细信息,包括 为监控视图创建新的 PagerDuty 集成 所需的 Integration Key

为监控视图创建新的 PagerDuty 集成

导航到监控视图的 Manage subscriptions 选项卡。在 PagerDuty Notifications 部分,选择加号 (+) 创建新的 PagerDuty 集成。您需要指定集成名称、创建 Events V2 API 集成时获得的集成密钥以及严重级别。根据需要为每个所需的严重级别重复此操作。

为健康检查启用 PagerDuty

默认情况下,监控视图会为监控规则警报和属于已升级/链接到监控视图的检查组的旧版健康检查生成 PagerDuty 通知。但是,在 v1.860.0 版本(2024 年 2 月)之前创建的监控视图默认不会生成 PagerDuty 警报,需要手动启用。

要启用此功能,请选中 Enable PagerDuty for health checks 复选框。将使用以下严重级别映射:

  • 信息/低严重级别健康检查将使用 LOW 严重级别集成。
  • 中等/中严重级别健康检查将使用 MEDIUM 严重级别集成。
  • 严重/高严重级别健康检查将使用 HIGH 严重级别集成。

Slack

此集成可以在一组已配置的频道中触发 Slack 消息。

创建 Slack 源

此集成需要在 Data Connection 中创建 Slack 源。该源需要配置一个 bearer token。此 bearer token 应具有以下权限范围:

  • channels:join:Foundry 将自动让应用加入请求的频道。
  • channels:read:用于列出可用频道。
  • chat:write:用于向已配置的频道发送消息。
  • (可选)groups:read:发送消息到私有频道所需。

在 Slack 中生成此类 token 的示例方法如下:

  1. 在您的工作区中创建一个新的 Slack App。
  2. 转到 OAuth & Permissions
  3. 将上述权限范围添加为 Bot Token Scopes
  4. 在您的工作区中安装 Slack App。
  5. 复制 Bot User OAuth Token

更多详情请参阅 Slack API 文档 ↗

为监控视图创建 Slack 集成

导航到监控视图的 Manage subscriptions 选项卡;在 Slack 部分,使用加号 (+) 创建新的 Slack 集成。选择一个已配置的 Slack 源。Slack Channels 字段将填充一个可用频道列表,您可以选择向其发送警报的频道。

:::callout{theme="neutral"} 要配置与私有频道的集成,请将 Slack App 邀请到私有频道,并确保已授予 groups:read 权限范围。 :::

配置严重级别,并根据需要为每个额外的所需严重级别重复此操作。

为资源名称可见性配置可导出的标记

来自监控视图的 Slack 通知可以显示人类可读的资源名称(例如,"Production Sales Dataset"),而不是资源标识符(RID,如 ri.main.dataset.xyz789)。这使警报更易于理解,并帮助您快速评估紧急程度。仅当安全控制允许时,才会显示资源名称;具体来说,当资源上的所有 标记 都包含在 Slack 源的可导出标记配置中时。

:::callout{theme="warning" title="更新的通知格式"} Slack 通知格式已更改,当安全控制允许时会包含资源名称。如果您有处理来自 Slack 的监控视图通知的机器人或自动解析器,您可能需要更新它们以处理新的消息格式。 :::

资源名称可见性的工作原理

当监控规则触发并向 Slack 发送警报时,Foundry 会检查资源的名称是否可以安全共享:

  • 显示资源名称: 资源上的所有标记和组织都包含在 Slack 源的可导出标记列表中。
  • 显示 RID: 资源上的一个或多个标记或组织不在可导出标记列表中。

例如,如果一个名为 "Customer Revenue Data" 的数据集具有 Sales 组织中的 Confidential 标记:

  • 如果 ConfidentialSales 都配置为可导出,Slack 将显示 "Customer Revenue Data"。
  • 如果其中任何一个不在可导出标记中,Slack 将显示 ri.foundry.main.dataset.abc123

为 Slack 源配置可导出标记

要在 Slack 通知中启用资源名称,具有 Information Security Officer 角色的用户必须配置可导出标记:

  1. 导航到 Data Connection 应用程序。
  2. 选择用于监控视图通知的 Slack 源。
  3. 选择 Connection settings 并导航到 Export configuration 选项卡。
  4. 打开 Enable exports to this source 开关。
  5. 添加可能出现在 Slack 消息中的 标记 和组织。
  6. 您必须同时添加安全标记 组织标记。
  7. 您必须对添加的每个标记或组织拥有取消标记权限。
  8. 选择 Save 以应用配置。

应添加哪些标记

考虑为以下内容添加可导出标记:

  • 监控视图监控的数据集和流的标记
  • 与您正在监控的项目关联的组织标记
  • 您希望在 Slack 中看到友好名称的资源上出现的任何标记

您可以从限制较少的标记开始,然后根据需要添加限制更多的标记。请记住,如果资源上的任何标记不在可导出列表中,将显示 RID 而不是名称。

:::callout{theme="neutral"} Information Security Officer 是 Foundry 中的默认角色。用户可以在 Control PanelEnrollment permissions 下被授予此角色。有关可导出标记如何与 Data Connection 配合使用的更多详细信息,请查看 exports 文档。 :::

Webhooks

此集成可以触发在 Data Connection 中配置的 Webhooks。请参阅 webhooks 文档了解如何设置 webhook。要使用 webhook 集成,webhook 必须有一个名为 Message 参数的字符串输入参数。该参数将填充通知的内容。目前内容不可自定义。

为监控视图创建新的 Webhook 集成

导航到监控视图的 Manage subscriptions 选项卡;在 Webhooks 部分,使用加号 (+) 创建新的 webhook 集成。您需要先选择一个 webhook,然后选择该 webhook 上的 Message 参数以及严重级别。根据需要为每个所需的严重级别重复此操作。