Notifications

Notifications Controls and Actions

The Notifications page displays tabs where you can view the notifications watch list, manage call enforcement notifications, and manage your subscriptions.

The following screen capture shows the Notifications and its tabs.

This screen capture shows the Notifications and its tabs. From left to right the tabs are watch list, Settings, and Subscriptions.

Security Shield can send direct communication by email, Slack, and PagerDuty when notifications occur. The banner displays a counter on the bell icon when notifications occur, as shown in the following screen capture.

Note:

The notifications counter (on the bell icon on the banner) shows the number of notifications currently triggered, not the number of notifications since the last time you viewed the notifications list.

The Notifications Watchlist Tab

The Notifications Watchlist tab displays the list of notification types that Oracle® Communications Security Shield Cloud Service (Security Shield) provides along with their state and trigger times.

The following screen capture shows an example of the Notifications Watchlist tab.

This

The Notifications Watchlist reports three possible states for the notifications.

Triggered – Calls exceeded the upper threshold you set for triggering the notification. When calls fall below the lower threshold you set, the state changes to Not Triggered.
Not Triggered – Calls did not exceed the upper threshold you set for triggering the notification. When calls exceed the upper threshold you set, the state changes to Triggered.
Disabled – The notification is disabled.

Security Shield updates the Notifications Watchlist every five minutes. Notifications age out when the source falls below the lower threshold you set. Because you might not see notifications occurring over a weekend, for example, the default age-out is twenty four hours. When a notification ages out, Security Shield no longer counts the notification as an active notification but the notifications list still includes the notification.

When the notifications counter displays digits on the bell icon. Click the bell and Security Shield displays the Notifications list, as shown in the following example.

This screen capture shows an example of the notifications list that Security Shield displays when you click the bell icon when it displays a notifications count.

Note:

The counter shows the number of notifications currently triggered, not the number of notifications since the last time you viewed the notifications list.

The Notifications Settings Tab

The Oracle® Communications Security Shield Cloud Service (Security Shield) Settings tab displays predefined notifications you can enable or disable. You can also set the thresholds for triggering and clearing the notifications. All notifications default to disabled and all thresholds default to no setting.

The following screen capture shows the notifications with descriptions and the parameters you can set.

This screen capture shows the notification types and the configurable parameters for each one.

Upper Threshold—The point at which Security Shield triggers the notification.

Lower Threshold—The point at which Security Shield clears the notification.

Status—Whether or not the notification is enabled.

Comment—Enter any notes you might want, for example, why you enabled or disabled a notification or why you set the thresholds to certain levels.

The settings take effect when you click Save.

The Notifications Subscriptions Tab

The Subscriptions tab on the Oracle® Communications Security Shield Cloud Service (Security Shield) Notifications page displays information about the subscribers configured to receive notifications when Security Shield detects threat conditions. The Subscriptions tab also displays the Create Subscription button to launch the configuration drawer, as well as filter chips for search operations.

The subscriptions tab displays filter chips you can use for search and lists your subscribers along with the Alert type, Protocol, Active Status, and Creation Timestamp. In the Search field, you can also enter all or part of Topic to see a list of only those subscribers.

This screen capture shows the Subscriptions tab on the Notifications page.

Definitions of the Columns and Filter Chips

Subscription—The delivery endpoint where Security Shield sends published messages for a particular topic. See Slack and PagerDuty for hooks and integration information. Every message sent out as email contains a link to unsubscribe from the related topic, so Subscribers can unsubscribe themselves from notifications. Only the Privileged Administrator can unsubscribe recipients from HTTPS and Slack notifications. Security Shield updates the subscription list whenever a change is made to the list or when you navigate to the Subscription tab.

Topic—A channel for communicating messages to a subscription. The only topic supported at this time is Alert.

Protocol—The means for delivering notifications to subscriptions. Security Shield can send notifications to:

Email—An email address
HTTPS—PagerDuty
Slack—A Slack channel

State—The availability of the subscriber to receive notifications. Active means the subscriber will receive notifications. Pending means Security Shield notified the subscriber about the subscription, but the subscriber has not yet clicked the link in the notification required to activate the subscription.

Created Time Stamp—The day, year, and time when the Privileged User created the subscription.

Create A Notification Subscription

The Create Subscription button launches the Create Subscription configuration drawer where Privileged Users configure Security Shield to send notifications to designated subscribers by way of email, Slack, and PagerDuty services when call threats occur.

This screen capture shows the Create Subscription drawer.

Remove Subscriptions

Security Shield provides the following methods for removing subscriptions.

Privileged Users can remove email, Slack, and PagerDuty subscriptions. See Unsubscribe Users From Notifications
Subscribers can only Unsubscribe from email notifications, Subscribers use the link included in every notification sent by email.

Notifications Subscriptions Behavior and Configuration Guidelines

Notifications from Oracle® Communications Security Shield Cloud Service (Security Shield) can alert end-users you configure about potentially harmful threats detected by Security Shield. The following information describes how the notifications work.

On the Notifications Settings Tab, Privileged Users can configure settings for triggering and ending specific types of notifications about potentially harmful call-traffic events. On The Notifications Subscriptions Tab, privileged users can Configure Subscriptions to Notifications for the end-users (called subscribers) you want to receive the notifications.

Note:

You cannot alter the messages sent in notifications.

Security Shield attempts to deliver notifications as soon as they occur and applies no restriction on the number of messages pushed out. Security Shield can deliver up to ten email messages per minute and up to sixty transactions per minute per alert type (called a Topic). Security Shield delivers each message at least once per subscription.

Note:

Security Shield notifications supports only one topic (named Alert) at this time.

Notifications support the following:

up to ten endpoints per topic, which can be a combination of multiple email addresses, one Slack endpoint, and one PagerDuty endpoint.
up to ten email addresses when you set no Slack and PagerDuty endpoints.
only one Slack endpoint per topic.
only one PagerDuty endpoint per topic.
a group email address as the endpoint.

After you configure a subscriber to receive notifications, the subscriber must activate the subscription. The configuration and activation process includes the following steps and results:

Access the Notifications page and go to the Subscriptions tab.
Configure one or more subscribers whom you want to receive notifications. Security Shield sends a confirmation email to the subscriber that contains a confirmation link and also lists the subscriber on the Subscription table as Pending.
The subscriber must click the activation link in the email to activate the subscription. When the subscription becomes active, the Subscription table reports the State as Active.

See Slack and PagerDuty for integration information.

Security Shield Threat Notifications Messages

You can configure Oracle® Communications Security Shield Cloud Service (Security Shield) to send notifications about detected threat conditions by way of email, Slack, and PagerDuty to designated subscribers. Notifications occur when the alert state for a call type changes from Not Triggered to Triggered, according to the thresholds you set.

Notifications include messages that Security Shield publishes to a topic, for example, Alerts. (A topic is a channel for communicating messages to a subscription.) Security Shield delivers each message at least once per subscription. Every email message contains a link to unsubscribe from the related topic. The following table lists and describes the information Security Shield provides for the Alerts topic.

Note:

You cannot edit the content of the messages.

Alert Category	Alert Name	Message
Call Enforcement	Elevated Call Blocking %	Title: Security Shield Alert: Higher number blocked calls than expected Message: [Trigger time stamp]. The number of blocked calls exceeded your configured threshold. Please investigate the reason for the number of blocked calls. You may want to reconfigure Security Shield to prevent blocking calls you want.
Call Enforcement	Elevated Call Redirecting %	Security Shield Alert: High Number of redirected calls than expected [Trigger time stamp]. The number of redirected calls exceeded your configured threshold. The increase may indicate an attack. Please investigate the reason for the number of redirected calls. You may want to reconfigure Security Shieldto prevent redirecting calls you want.
Toll Fraud	Elevated Toll Fraud Attacks	Security Shield Alert: Suspected Fraud on outbound calls. [Trigger time stamp]. Security Shield detected a possible attack against your voice infrastructure from fraudulent outbound calls. Fraudulent outbound calls may result in higher charges from your service provider. Oracle recommends blocking toll fraud calls.
Traffic Pumping Attacks	Elevated Traffic Pumping Attacks	Security Shield Alert: Security Shield Higher number of calls than expected; possible call flooding detected [Trigger time stamp]. Security Shield detected a possible attack against your voice infrastructure using inflated traffic volumes. Call flooding from traffic pumping may result in service impairment. Your customers may experience difficulty in getting through. Monitor the situation. Oracle recommends throttling traffic pumping calls.
Call Type	Elevated Spam Risk Calls	Security Shield Alert: More SPAM calls than expected. High number of suspected SPAM calls. [Trigger time stamp]. The number of suspected SPAM calls exceeded the configured threshold. The result may impair service and cause productivity loss. Monitor the situation. If needed, block or throttle SPAM calls until the numbers drop to more normal levels.
	Elevated Fraud Risk Calls	Security Shield Alert: Suspected fraud calls [Trigger time stamp]. The number of suspected fraudulent calls exceed the configured threshold. The increase may indicate an attack on your service. Monitor the situation. If needed, block or redirect fraud calls until the numbers drop to more normal levels.
	Elevated Spoofed Calls	Security Shield Alert: Higher numbers of spoofed calls than expected. [Trigger time stamp]. The number of suspected spoofed calls exceeded the configured threshold. The increase may indicate a reconnaissance attack, phishing attack, or other malicious behavior. Monitor the situation. If needed, block or throttle spoofed calls until the numbers drop to more normal levels.
Call Classification	Elevated Risky Calls %	Security Shield Alert: Higher number of Risky calls than expected [Trigger time stamp]. The number of risky calls exceeded the configured threshold. Security Shield detected very suspicious behavior. Monitor the situation. If needed, block, redirect, or throttle the highest risk categories until the numbers drop to more normal levels.

Configure Subscriptions to Notifications

Privileged users can configure Oracle® Communications Security Shield Cloud Service (Security Shield) to send notifications to designated subscribers about threat conditions that Security Shield detects. You can specify sending notifications by email, Slack, and PagerDuty services.

Procedure

In the following procedure, you set the subscription topic, protocol, and endpoints. You can set...

up to ten endpoints per topic, which can be a combination of multiple email addresses, one Slack endpoint, and one PagerDuty endpoint.
up to ten email addresses when you set no Slack and PagerDuty endpoints.
only one Slack endpoint per topic.
only one PagerDuty endpoint per topic.
a group address for the email endpoint.

Before You Begin

Confirm that you are assigned to the Security Shield Configuration Editor and Security Shield Administrator roles.

Access the Notifications page and click the Subscriptions tab.
On the Subscription tab, click Create Subscription.
In the Create Subscription dialog, do the following:
- Subscription Topic—Select Alert. Security Shield supports no other topics at this time.
- Protocol—Select the service you want Security Shield to use to send notifications. Default: Email. Valid values: Email | Slack | PagerDuty.
- Enter the endpoint email, Slack URL, or PagerDuty integration key according to the protocol type you selected in the previous step. Endpoint configuration is case-sensitive.
Click Add.
Security Shield adds the new subscriber to the subscription list table as Pending and emails a confirmation link to the subscriber.

Next Steps

The new subscriber must click the link in the email to activate the subscription.

Unsubscribe Users From Notifications

Privileged Users can remove Subscribers from receiving Oracle® Communications Security Shield Cloud Service (Security Shield) notifications with the following procedure. Security Shield updates the subscription list whenever a change is made to the list or when you navigate to the subscription tab.

Before You Begin

Confirm you are assigned to the Privileged Users role.

Procedure

Use the following procedure for unsubscribing recipients from any delivery method through the Subscription tab.

Access the Notifications page and click the Subscription tab.
On the Subscription tab, locate the subscription to delete.
Click the delete icon at the end of the subscription row.
Security Shield displays a confirmation dialog.
Click Delete.
Security Shield removes the subscription.

User Groups Required for Managing Notifications

Users who want to view or manage Oracle® Communications Security Shield Cloud Service (Security Shield) Notifications must be assigned to the following user groups according to what they want to see or do.

Access the Notification List (View information)

OCSS User
OCSS ACL Editor
OCSS Configuration Editor
OCSS Device Configuration Editor
OCSS User Tracking and Monitoring
OCSS Administrator

Manage Notification Rules (Set thresholds)

OCSS Configuration Editor
OCSS Device Configuration Editor

Manage Notification State Changes (Enable-Disable)

OCSS Administrator
OCSS Device Configuration Editor

Enable Notifications and Set the Thresholds

Privileged Oracle® Communications Security Shield Cloud Service (Security Shield) users can enable and disable notifications, as well as set the triggering thresholds.

Before You Begin

Confirm you are assigned to the OCSS Configuration Editor and OCSS Device Configuration Editor user groups to set thresholds for notifications.
Confirm you are assigned to the OCSS User and OCSS Device Configuration Editor user groups to enable or disable notifications.

Procedure

You do not need to enable all notifications in a group. For example, in the Call Enforcement Notifications group you can enable Elevated Call Blocking and set Elevated Call Redirecting to disabled. Note that Security Shield does not set defaults for the threshold settings or status.

Note:

The Settings tab lists and describes the notifications you can configure.

Access the Notifications page and click the Settings tab.
On the Settings tab, set the following parameters for each notification type you want to use.
- Upper Threshold—Set the threshold for turning notifications on. Valid values: 1-100 for percentages.1-20,000 for incidents.
- Lower Threshold—Set the threshold for turning notifications off. Valid values: 1-100 for percentages.1-20,000 for incidents.
- Status—Set to either enabled or disabled.
- Comment—(Optional) Enter text, for example, to describe the purpose of the notification or why you want it disabled or enabled.
Click Save.
The settings take effect right away.