This community-contributed app lets you port Alert Notifications from the Carbon Black Cloud into Slack.
Published by Nick Comeau
View source code for this contribution
Disclaimer: This app was created and submitted by a member of the developer community. All sample content and code in the Community Showcase is licensed to you by the sample’s author. VMware does not guarantee the samples; they are provided “AS IS”.
Do you want all of your security product alerts to be in the same place you communicate with your team members? Do you want emojis to that resemble the mood you feel after getting a high-score alert? Well want no longer – introducing the Carbon Black Cloud Slack App (ages 10+)!
Jokes aside, many months ago I put my limited coding prowess and tenuous (at best) knowledge of the API to the test and attempted to create a way to port Alert Notifications from the VMware Carbon Black into Slack.
Coming from the pre-sales side as a Solution Engineer, I have oft’ heard requests to bring Alerting into the same medium that many SecOps team members would use to communicate: Slack. This request is further proliferated by the change in how we work, dictated by the global pandemic, and ensuing quarantine.
Enter: the Carbon Black Cloud Slack App.
Automatic Posting of CB Endpoint Standard (CBD) and CB Enterprise EDR (CBTH) Alert Information into Slack
A Slack bot, with API Webhooks enabled, to then respond to the prior alert notification, and offer actions available within the Carbon Black Cloud Console. Such actions include:
Incident_id/Threat_idfor the corresponding alert
device_idfrom the Notification
The intent behind the redirects is to avoid any concerns around RBAC roles granted to specific admins. Both the ‘Investigate’ and ‘Go Live’ capabilities are guarded by the Admin’s login and their subsequent RBAC permissions.
Throw in some Emoji’s dictating Alert Severity Score (because I’m an awful millennial), and voila – you have a Slack app for the VMware Carbon Black Cloud.
One cool and unintended side effect of the script is that it essentially enables mobile alert management! The Slack alert and Virus Total Lookup portions both paginate well, and although not perfect, it makes Cb Live Response (aka ‘Go Live’) a relatively viable option for the admin on the go.
credentials.pscto identify the ‘profile’ name (in brackets above the api keys) – you might not have to do this with the updated Cbapi, please check.
Now run the script!
The Cb notification listener will check every 30 seconds to see if a new alert has been generated — if so it will post it right within slack, and the bot will carry out the suggested actions.
Nick Comeau has been with VMware Carbon Black since the Bit9 days (about 5 years) and he works as the Senior Technical Specialist for the Commercial Solution Engineering team in the Intrinsic Security business unit. This is a fancy way of saying that he is a former Sales Engineer covering predominately the West Coast who now focuses on training new SEs and running the occasional POC. Prior to joining the company, Nick worked in electro-chemical engineering, and he still holds several patents in space. He also has a background in biomedical engineering before transitioning into the cybersecurity space. Nick was Python-illiterate until about a year ago, so he would like you to please disregard any noob mistakes in his code :)
“This is proof that making something cool, or useful, is made easy with Cbapi – and I hope some of you, who are far more proficient than I, show me up with some cool projects!” -Nick Comeau