Disclaimer: This app was created and submitted by a member of the developer community. All sample content and code in the Community Showcase is licensed to you by the sample’s author. VMware does not guarantee the samples; they are provided “AS IS”.

Are you like me?

Do you want all of your security product alerts to be in the same place you communicate with your team members? Do you want emojis to that resemble the mood you feel after getting a high-score alert? Well want no longer – introducing the Carbon Black Cloud Slack App (ages 10+)!

Jokes aside, many months ago I put my limited coding prowess and tenuous (at best) knowledge of the API to the test and attempted to create a way to port Alert Notifications from the VMware Carbon Black into Slack.

Coming from the pre-sales side as a Solution Engineer, I have oft’ heard requests to bring Alerting into the same medium that many SecOps team members would use to communicate: Slack. This request is further proliferated by the change in how we work, dictated by the global pandemic, and ensuing quarantine.

Enter: the Carbon Black Cloud Slack App.

There are 2 parts to the script:

1. Automatic Posting of CB Endpoint Standard (CBD) and CB Enterprise EDR (CBTH) Alert Information into Slack

   • This was done via leveraging the Cbapi Notification Listener to grab the alert
   • Then, I leveraged Slack’s simple API messenger and Block Kit builder to post the associated contents in an easy-to-read format

2. A Slack bot, with API Webhooks enabled, to then respond to the prior alert notification, and offer actions available within the Carbon Black Cloud Console. Such actions include:

   • ‘Investigate’ – This is a simple URL redirect, which reformats the URL for the Alerts page, via auto adding of the Incident_id/Threat_id for the corresponding alert
   • ‘Virus Total Lookup’ – Once again, a simple URL redirect, which takes the hash from the ‘Threat Cause Actor’ and appends it to the VT lookup URL string
   • ‘Go Live’ – Simple URL redirect to the Go Live URL formatted with the corresponding device_id from the Notification

   The intent behind the redirects is to avoid any concerns around RBAC roles granted to specific admins. Both the ‘Investigate’ and ‘Go Live’ capabilities are guarded by the Admin’s login and their subsequent RBAC permissions.

Throw in some Emoji’s dictating Alert Severity Score (because I’m an awful millennial), and voila – you have a Slack app for the VMware Carbon Black Cloud.

One cool and unintended side effect of the script is that it essentially enables mobile alert management! The Slack alert and Virus Total Lookup portions both paginate well, and although not perfect, it makes Cb Live Response (aka ‘Go Live’) a relatively viable option for the admin on the go.

Installing the Slack App

Video tutorial

Instructions

1. Configure CbAPI

• Instructions here: https://cbapi.readthedocs.io/en/latest/installation
• Download associated CB+Slack python script.

2. In the Carbon Black Cloud Console, create a CBC API Key

• Navigate in CBC Console to Settings > API Keys > Add API Key
  • Create API Key with ‘Access Level’ SIEM
  • Copy Keys Created for Configuration:
    • API ID (Connector ID)
    • API Secret Key (API Key)

3. Create CBC Notification

• Navigate in CBC Console to Settings > Notifications > Add Notification
• Set-up desired notification
• Under “How do you want to be notified?” Select SIEM connector made in step 1, under API Keys

4. Configure API Credentials File

• Open Terminal or Command and cd to CbAPI directory
• cbapi-defense configure
  • Enter Hostname: Copy CbPSC URL i.e. https://defense-prod05.conferdeploy.net/ (See the Authentication Guide for guidance)
  • Enter Connector ID (Now called API ID)
  • Enter API Key (Now called API Secret Key)
• Once configured change extension from credentials.defense to credentials.psc
• VI into credentials.psc to identify the ‘profile’ name (in brackets above the api keys) – you might not have to do this with the updated Cbapi, please check.
• Adjust line 12 of CB+Slack py script with the correct ‘profile’ name

5. In Slack, Create a new workspace (skip if you have already done this)

• Create Channel titled ‘cb_alerts’
• If Channel name is different than ‘cb_alerts’ adjust line 24 of CB+Slack py script

6. Install slack python client:

• https://slack.dev/python-slack-sdk/
• Generate API Token:
  • https://api.slack.com/custom-integrations/legacy-tokens
  • Save this API Token as an environmental variable (tutorial link below):
    • Windows: https://www.youtube.com/watch?v=IolxqkL7cD8
    • Mac & Linux: https://www.youtube.com/watch?v=5iWhQWVXosU
  • Enter Slack API environmental variable to line 15 of CB+Slack py script

7. Creating SLACK App for Carbon Black Cloud Integration

• Select Workspace (far left of Slack Desktop)
• Select ‘Customize Slack’
• In Left Nav. Panel select ‘API’
• Select ‘Start Building’
• Create an App
  • ENTER App Name:
  • ENTER Dev. Slack Workspace
  • Select ‘Create App’

8. Customize SLACK App

• Select the App you just created
• Select “Basic Information”
• “Add Features and Functionality”
  • Turn ON ‘Incoming Webhooks’
  • Select ‘Add New Webhook to Workspace’
    • Select Channel of ‘cb_alerts’
  • Copy Webhook URL to line 27 of CB+Slack py script

9. Repeat 8b Select “Basic Information” and 8cc Select Channel ‘Bots’

• Add Bot User

10. Add newly created all to your workspace (if not already)

Now run the script!

The Cb notification listener will check every 30 seconds to see if a new alert has been generated — if so it will post it right within slack, and the bot will carry out the suggested actions.

About Nick Comeau

Nick Comeau has been with VMware Carbon Black since the Bit9 days (about 5 years) and he works as the Senior Technical Specialist for the Commercial Solution Engineering team in the Intrinsic Security business unit. This is a fancy way of saying that he is a former Sales Engineer covering predominately the West Coast who now focuses on training new SEs and running the occasional POC. Prior to joining the company, Nick worked in electro-chemical engineering, and he still holds several patents in space. He also has a background in biomedical engineering before transitioning into the cybersecurity space. Nick was Python-illiterate until about a year ago, so he would like you to please disregard any noob mistakes in his code :)

“This is proof that making something cool, or useful, is made easy with Cbapi – and I hope some of you, who are far more proficient than I, show me up with some cool projects!” -Nick Comeau