If Channel name is different than ‘cb_alerts’ adjust line 24 of CB+Slack py script.In Slack, Create a new workspace (skip if you have already done this) Adjust line 12 of CB+Slack py script with the correct ‘profile’ nameĥ.VI into credentials.psc to identify the ‘profile’ name (in brackets above the api keys) – you might not have to do this with the updated Cbapi, please check.Once configured change extension from fense to credentials.psc.Enter API Key (Now called API Secret Key).(See the Authentication Guide for guidance) Open Terminal or Command and cd to CbAPI directory.Under “How do you want to be notified?” Select SIEM connector made in step 1, under API Keys.Navigate in CBC Console to Settings > Notifications > Add Notification.
#SLACK DESKTOP APP DOD DOWNLOAD#
Download associated CB+Slack python script.Ģ.One cool and unintended side effect of the script is that it essentially enables mobile alert management! The Slack alert and Virus Total Lookup portions both paginate well, and although not perfect, it makes Cb Live Response (aka ‘Go Live’) a relatively viable option for the admin on the go. Throw in some Emoji’s dictating Alert Severity Score (because I’m an awful millennial), and voila – you have a Slack app for the VMware Carbon Black Cloud. Both the ‘Investigate’ and ‘Go Live’ capabilities are guarded by the Admin’s login and their subsequent RBAC permissions. The intent behind the redirects is to avoid any concerns around RBAC roles granted to specific admins. ‘Go Live’ – Simple URL redirect to the Go Live URL formatted with the corresponding device_id from the Notification.‘Virus Total Lookup’ – Once again, a simple URL redirect, which takes the hash from the ‘Threat Cause Actor’ and appends it to the VT lookup URL string.‘Investigate’ – This is a simple URL redirect, which reformats the URL for the Alerts page, via auto adding of the Incident_id/Threat_id for the corresponding alert.Then, I leveraged Slack’s simple API messenger and Block Kit builder to post the associated contents in an easy-to-read formatĪ Slack bot, with API Webhooks enabled, to then respond to the prior alert notification, and offer actions available within the Carbon Black Cloud Console.This was done via leveraging the Cbapi Notification Listener to grab the alert.There are 2 parts to the script:Īutomatic Posting of CB Endpoint Standard (CBD) and CB Enterprise EDR (CBTH) Alert Information into Slack This request is further proliferated by the change in how we work, dictated by the global pandemic, and ensuing quarantine.Įnter: the Carbon Black Cloud Slack App. Jokes aside, many months ago I put my limited coding prowess and tenuous (at best) knowledge of the API to the test and attempted to create a way to port Alert Notifications from the VMware Carbon Black into Slack.Ĭoming from the pre-sales side as a Solution Engineer, I have oft’ heard requests to bring Alerting into the same medium that many SecOps team members would use to communicate: Slack.
Are you like me?ĭo you want all of your security product alerts to be in the same place you communicate with your team members? Do you want emojis to that resemble the mood you feel after getting a high-score alert? Well want no longer – introducing the Carbon Black Cloud Slack App (ages 10+)!
VMware does not guarantee the samples they are provided “AS IS”.
#SLACK DESKTOP APP DOD CODE#
All sample content and code in the Community Showcase is licensed to you by the sample’s author. Disclaimer: This app was created and submitted by a member of the developer community.
0 kommentar(er)
