Alerting integrations - Githubissues

matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS

https://matano.dev

Apache License 2.0

1.46k stars 100 forks source link

Alerting integrations #18

Open Samrose-Ahmed opened 1 year ago

Samrose-Ahmed commented 1 year ago

Tracking for integrating Matano alerts with external systems

Destinations

[ ] Pagerduty
[x] Slack
[ ] TheHive
[ ] Webhook
[ ] Jira
[ ] ServiceNow
[ ] Step functions (trigger custom workflow on alert)

Design

Integration

@shaeqahmed

Sending rule matches, alerts, schema
Updating alerts

gdrapp commented 1 year ago

Hey guys, great to see this on the roadmap. Would love to see TheHive on the list as well.

rams3sh commented 1 year ago

Hey Guys ,

It would be really nice to have below as part of external integrations in general.

1.Webhook - This can solve lot of generic use cases.

Step function - This will help in triggering a step function based playbook where one can have their own response playbook defined for a given alert.

Samrose-Ahmed commented 1 year ago

Great suggestions, especially step functions. Adding to the list.

rams3sh commented 1 year ago

Yeah , I have used socless and this idea comes from there . Stepfunctions also helps in approval based workflow where a user can be reached out to confirm if a given alert is indeed triggered due to a genuine use or any unauthorised use which can further be taken ahead by SOC Analyst. This reduces burden on SOC analyst to address every alert.

Adding the link to socless framework to provide context to the ask.

Doc Link: https://twilio-labs.github.io/socless/ Reference to human based confirmation in socless : https://twilio-labs.github.io/socless/tutorial-interacting-with-humans-via-slack/ Repository : https://github.com/twilio-labs/socless

grue commented 1 year ago

Are you looking for contributions on this front, or is this something actively in progress?

Samrose-Ahmed commented 1 year ago

I believe @shaeqahmed was working on some integrations, starting with a Slack integration, but we are definitely happy to accept any contributions. Is there a specific integration you are interested in?

rams3sh commented 1 year ago

It would be nice to have standalone AWS lambda as a trigger as well in case there is not much complex workflow to have a step function.

timoguin commented 1 year ago

It would be nice to have standalone AWS lambda as a trigger as well in case there is not much complex workflow to have a step function.

SNS was recently added as a destination. You could hook SQS + Lambda into that topic.