Michael Sconzo

NetWitness + Slack for realtime alerts

Blog Post created by Michael Sconzo Employee on Jul 23, 2017

As threats evolve it's important for organizations to keep pace. As part of this trend many organizations are moving to Slack for team communications and to help drive a more efficient operational workflow. You can use the NetWitness Suite to help drive some of the changes as well. In this post we'll look at how you can send ESA alerts from NetWitness to Slack using the 'run script' capability.

 

First start off by configuring Incoming Webhooks in Slack, you'll need to take note of the URL, Username and Channel that you configured your webhook for. These allow the script to communicate from NetWitness to Slack.

 

Next, in NetWitness, go to Configure -> ESA Rules and select the rule you want to add Slack notifications for. Then click on Global Notifications, this will allow you to add the script, notification server, and template.

 

On the Output tab,click the + sign, and select Script. Paste the following into the box, give it a name and click save.

#!/bin/bash


webhook_url="YOUR WEBHOOK URL GOES HERE"
channel="YOUR CHANNEL GOES HERE"
username="YOUR USERNAME GOES HERE"

 

text=$*

escapedText=$(echo $text | sed 's/"/\"/g' | sed "s/'/\'/g" )

json="{\"channel\": \"$channel\", \"username\":\"$username\", \"icon_emoji\":\"ghost\", \"attachments\":[{\"color\":\"danger\" , \"text\": \"$escapedText\"}]}"

/usr/bin/curl -s -d "payload=$json" "$webhook_url"

Click the Servers tab. If you don't have an entry for 'Script' then, click the + sign and add one and click save. This allows scripts to be run off the local host (ESA server).

Finally, you can use an existing template, but I created my own for simple alerting. You can do this by clicking on the Templates tab, then the + sign. Finally add the following information and click save.

Finally, select your new values in the rule, and deploy the modified ESA Rule(s).

Now you can enjoy your new Slack integration, and get alerts into various channels.

Outcomes