Notifications

General

Manage connectors for sending notifications to customer-configured destinations.

A notification connector specifies where Trend Micro Cloud OneTM – Network Security should send messages to alert a user about specific conditions.

A notification type specifies the type of messages to send to a connector. For example, an "appliancehealth" notification type specifies messages related to the status of Network Security virtual appliances.

A connector type specifies the service specific to a cloud service provider to use for notifications for a connector. For example, an snsconnector type indicates the Amazon Simple Notification Service (SNS).

Amazon SNS

Follow these steps to ensure that Network Security can send notifications to your Amazon SNS topic.

Role

Create a role (or modify an existing role) in your account that Network Security can assume to publish messages to your SNS topic. Ensure the role has permission to publish messages.
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SnsPublish",
      "Effect": "Allow",
      "Action": [
          "SNS:Publish"
      ],
      "Resource": "arn:aws:sns:us-west-1:123456789012:MyTopic"
    }
  ]
} 
Replace the resource ARN above with the ARN for your SNS topic. Also, ensure the role has a trust policy that allows Network Security to assume the role.
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NetworkSecurityAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::737318609257:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "12345abc"
        }
      }
    }
  ]
} 
Please note that the account ID in the principal ARN is the Network Security AWS account ID. Replace the STS external ID with the same value you use to create a connector. This should be a non-trivial random value known only to you.

Topic Access Policy

The SNS topic used by Network Security should allow the role above to publish messages.
 {
  "Sid": "NetworkSecurityPublish",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::123456789012:assumed-role/MyRole/<Notification Type>"
  },
  "Action": "SNS:Publish",
  "Resource": "arn:aws:sns:us-west-1:123456789012:MyTopic"
} 
Replace the account ID and role name in the principal ARN with the values for the role created above. The <Notification Type> in the principal ARN should match the notification type used in the corresponding notification connector. For example, "appliancehealth".

List SNS connectors

get/notifications/snsconnectors

Retrieve a list of all SNS connectors. If no SNS connectors are defined, this request will return an empty list. Please note that the list of items in the response are encapsulated as the value of a top-level connectors key.

Responses
200

Successfully retrieved the list of SNS connectors

401

Unauthorized

403

Forbidden

500

Internal server error

Response samples
application/json
{
  • "connectors": [
    ]
}

Create SNS connector

post/notifications/snsconnectors

Create a new SNS connector from the body of the request.

Request
Request Body schema: application/json

The SNS connector to create.

externalId
string [ 2 .. 1224 ] characters ^[a-zA-Z0-9+=,.@:/-]+$

The STS external ID Cloud One Network Security should use to assume the cross-account role when sending a notification.

notificationType
required
string

The notification category. That is, the product area that will use this connector.

Value: "appliancehealth"
roleArn
required
string [ 20 .. 2048 ] characters ^arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9+=,.@_...

The ARN of the cross-account role to use to send a notification.

topicArn
required
string [ 20 .. 2048 ] characters ^arn:aws:sns:.*:[0-9]{12}:[a-zA-Z0-9._-]{1,25...

The ARN of the SNS topic.

Responses
201

Successfully created SNS connector

401

Unauthorized

403

Forbidden

409

SNS connector already exists

422

Invalid SNS connector

500

Internal server error

Request samples
application/json
{
  • "notificationType": "appliancehealth",
  • "topicArn": "arn:aws:sns:us-west-1:123456789012:nsva-health",
  • "roleArn": "arn:aws:iam::123456789012:role/SnsNotificationRole",
  • "externalId": "41819d20-b9a1-11eb-94c9-c769b191f4cc"
}
Response samples
application/json
{
  • "notificationType": "appliancehealth",
  • "topicArn": "arn:aws:sns:us-west-1:123456789012:nsva-health",
  • "roleArn": "arn:aws:iam::123456789012:role/SnsNotificationRole",
  • "externalId": "41819d20-b9a1-11eb-94c9-c769b191f4cc"
}

Describe SNS connector

get/notifications/snsconnectors/{notificationType}

Retrieve the SNS connector details for the specified notification type.

Request
path Parameters
notificationType
required
string

The notification type of the SNS connector to retrieve.

Responses
200

Successfully retrieved the SNS connector

401

Unauthorized

403

Forbidden

404

SNS connector not found

500

Internal server error

Response samples
application/json
{
  • "notificationType": "appliancehealth",
  • "topicArn": "arn:aws:sns:us-west-1:123456789012:nsva-health",
  • "roleArn": "arn:aws:iam::123456789012:role/SnsNotificationRole",
  • "externalId": "41819d20-b9a1-11eb-94c9-c769b191f4cc"
}

Update SNS connector

put/notifications/snsconnectors/{notificationType}

Update an existing SNS connector with the values from the body of the request.

Request
path Parameters
notificationType
required
string

The notification type of the SNS connector to update.

Request Body schema: application/json

The SNS connector to update.

externalId
string [ 2 .. 1224 ] characters ^[a-zA-Z0-9+=,.@:/-]+$

The STS external ID Cloud One Network Security should use to assume the cross-account role when sending a notification.

notificationType
required
string

The notification category. That is, the product area that will use this connector.

Value: "appliancehealth"
roleArn
required
string [ 20 .. 2048 ] characters ^arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9+=,.@_...

The ARN of the cross-account role to use to send a notification.

topicArn
required
string [ 20 .. 2048 ] characters ^arn:aws:sns:.*:[0-9]{12}:[a-zA-Z0-9._-]{1,25...

The ARN of the SNS topic.

Responses
200

Successfully updated the SNS connector

401

Unauthorized

403

Forbidden

404

SNS connector not found

422

Invalid SNS connector

500

Internal server error

Request samples
application/json
{
  • "notificationType": "appliancehealth",
  • "topicArn": "arn:aws:sns:us-west-1:123456789012:nsva-health",
  • "roleArn": "arn:aws:iam::123456789012:role/SnsNotificationRole",
  • "externalId": "41819d20-b9a1-11eb-94c9-c769b191f4cc"
}
Response samples
application/json
{
  • "notificationType": "appliancehealth",
  • "topicArn": "arn:aws:sns:us-west-1:123456789012:nsva-health",
  • "roleArn": "arn:aws:iam::123456789012:role/SnsNotificationRole",
  • "externalId": "41819d20-b9a1-11eb-94c9-c769b191f4cc"
}

Delete SNS connector

delete/notifications/snsconnectors/{notificationType}

Delete the SNS connector for the specified notification type.

Request
path Parameters
notificationType
required
string

The notification type of the SNS connector to delete.

Responses
204

Successfully deleted the SNS connector

401

Unauthorized

403

Forbidden

404

SNS connector not found

500

Internal server error

Response samples
application/json
{
  • "message": "Internal server error"
}

Send a test notification

post/notifications/snsconnectors/{notificationType}/verify

Send a test notification to verify the specified SNS connector settings.

Request
path Parameters
notificationType
required
string

The notification type of the SNS connector to use for the test message.

Responses
204

Successfully sent test SNS notification

401

Unauthorized

403

Forbidden

404

SNS connector not found

500

Internal server error

Response samples
application/json
{
  • "message": "Internal server error"
}