Centrify Analytics Service (CAS), a multi-tenant cloud service, applies Artificial Intelligence (AI) and big data analytics to offer intelligent, real-time access security. This use of AI and big data analytics can eliminate improper security policies, unnecessary permissions, and access anomalies, while at the same time detect these threats for monitoring. When a threat is identified, CAS annotates the risk event with a risk score and risk distribution, then creates an alert. The administrator can then get a notification from SMS and remediate the threat. In this article, we will provide an example of how to use Centrify Analytics Webhook to trigger an AWS Lambda function. All the code examples can be found in this Github repository.
Centrify Analytics Service Webhook is a HTTP callback that is triggered by Centrify Analytics events. Should an alert event occur for example, Centrify Analytics Service allows users to send alerts into third-party applications via webhook. This capability enables users to respond quickly to a threat alert and contain the impact.
AWS Lambda is a compute service where you can upload your code to AWS Lambda. The service can run code on your behalf within the AWS infrastructure. As a serverless framework, AWS Lambda makes it easy to develop the automation and orchestration workflow to handle alerts from Centrify Analytics Service.
The AWS Lambda function example will send an SMS or email when a Centrify Analytics alert is triggered. By extending the AWS Lambda function example, you can archive more sophisticated remediation tasks, such as killing the session, banning the IP address, etc. The following diagram illustrates the architecture of the example.
Create SNS Topic
Login to your AWS Console, and create a SNS topic “analytics-demo”.
Create an SMS subscription, choose SMS in protocol and input your mobile number:
Create the AWS Lambda function
Login to your AWS Console via your favorite browser, select “Lambda” from “Services”.
- In “Functions”, click the “Create function” button.
- In “Create function” wizard, choose “Author from scratch”, input “name”, choose Python 3.6 in “Runtime”, choose “Create new role from template(s)” from “Role” drop-down, input “Role name”, choose “SNS publish policy” from “Policy templates” drop-down.
- Click “Create function”.
- In “Function code”, choose “Edit code inline” in the “Code entry type” drop-down list.
- Copy and paste the following code, remember to replace sns_arn variable with your SNS ARN.
- Review the code, settings and click the “Save” button.
sns = boto3.client('sns')
def lambda_handler(event, context):
print("Received event: " + json.dumps(event, indent=2))
# Replace following with your SNS ARN
sns_arn = 'arn:aws:sns:us-west-2:99999999:analytics-demo'
sns_event = event
sns_event["default"] = json.dumps(event)
Subject="Centrify Analytics Alert"
except Exception as e:
This sample code uses boto3 to publish the webhook payload from Centrify Analytics to the SNS topic, which has your mobile number subscribed.
Setup AWS API Gateway
To make the Lambda function accessible via a HTTP POST, you need to create an AWS API Gateway and associate the Lambda function with an API endpoint.
Login to your AWS Console via your favorite browser, select “API Gateway” from “Services”.
- Click “Create API” button --> input “Analytics Demo API” as “API name”.
- Click the “Create API” button.
- Choose “Create Resource” in “Actions” drop-down --> input “analyticsdemo” as “Resource Name” and “analyticsdemo” as the “Resource Path”.
- Click “Create Resource” button.
- Select the newly created “analyticsdemo” node in “Resources” tree --> choose “Create Method” in “Actions” drop-down --> choose “POST” method for “analyticsdemo” resource.
- In the POST method configuration panel --> choose “Lambda Function” as the “Integration type” --> choose the proper “Lambda Region” --> input your lambda ARN in “Lambda Function”.
- Click the “Save” button.
If all went well, you should end up with an execution workflow diagram like this:
Setup API Stage
The stage represents the label of API lifecycle stages, e.g., development, test, production, etc. In the API console, choose your API and the root resource of the API –> select “Deploy API” in the “Actions” drop-down:
In this example, I use “demo” as the stage name.
Setup Usage Plan
“Usage Plans” allow you to put controls and constraints into your API, e.g. “Rate”, “Burst”, “Quota”, etc.
If you have set up an API usage plan before, then you only need to add the newly created API to the usage plan. Otherwise, you need to follow the steps below. Also if you have never used “Usage Plans” and don't see the option in the API console, you need to enable it in your account.
In the API console, choose “Usage Plans” and click the “Create” button. Follow the wizard and make sure to associate your API and stage with the usage plan in the wizard.
Setup API Key
In the API console, choose “API Keys”, then choose “Create API key” in “Actions”. When the API key is created, you can click the newly create API key and click the “Add to Usage Plan” button to link your API key to the usage plan.
Click “Show” link, copy and save your API key. This API key will be used in the webhooks configuration in Centrify Analytics Portal.
In the API console, choose your API and the root resource of the API, then select “Deploy API” in the “Actions” drop-down. You should use the “demo” stage to deploy the API. After deploy, your API is now ready to use, and you can find "invoke URL" from the stage editor:
Setup Centrify Analytics Webhook
Log in Centrify Analytics portal and navigate to Settings -> Webhooks. Click “New” button:
The webhook can also be imported from “Anomaly Detection Notification.json“ located in this Github repository.
End to end Testing
Now, whenever there is a SecurityAlert event generated in your Centrify Analytics Service, you should get the SMS notification on your mobile devices:
The code for this sample is available in this Github repository.