By: Owen Dubiel
July 19, 2021
Slackbot for Rapid Response
By: Owen Dubiel
July 19, 2021
Slack is one of the leading communication platforms in both personal and professional use. Known for its inclusive collaboration style chats, Slack is infused with emojis, gifs, and the ability even to have group calls on the fly; Slack has made itself a staple in the new era of remote work. Many may not know the full capabilities that Slack can provide from a security perspective with its Slackbot webhook integration. Below, we have outlined some of the top ways security teams can directly benefit from using the slackbot as an automated alerting and response machine.
Vulnerability Results Channel
A great use case for using the slackbot is creating a Vulnerabilities Results Channel. By targeting a specific audience and fine-tuning the criteria, you can ensure what is considered "important" is being viewed and addressed. For example, if you wanted to send all critical vulnerabilities into a Slack channel, the slackbot would enable you to display this information in a condensed, concise, and organized way. Think of this display as three different data levels, all separated but an action button to expand the details of each level. The first level could be just the name of the vulnerability and the count; the second level would be the assets involved. The third level would be a drop-down of each asset and the specific details around the vulnerability (remediation steps, versions, etc.). The drop-down button method is very effective and doesn't clog up the Slack channel with thousands of results. Other options to consider would be as follows:
- Color coding based on the severity
- Daily reports of top vulnerabilities by criticality
- CVE information
- Summary option
The possibilities are virtually endless on how a channel can be configured; it is solely based on what works best within your organization.
Detection Alerts Channel
Taking the slackbot even further, we get into detections. If you utilize any DLP tool, SIEM or EDR, you will want to consider creating an "alerts" channel. Slack is one of the best ways to view notifications on the go with their mobile app. By creating a detection alert channel, it is possible to embed all relevant information in a way that is similar to the vulnerability channel. Having the same button drop-downs keeps the information consolidated, but in the alerts channel, we add in the functionality of "actions to enhance the experience.
For example, let's say we have SIEM events being sent to our slackbot and display as outlined above. We can now add in action fields where we would see the section summary on the top level. The following are some action fields to consider:
- Comment button (allows the ability to make comments that are posted to the SIEM on the detection)
- Update Status button (enable the ability to change status from closed, in progress, false positive, etc.)
Change Assigned Drop-down (Lets admin assign the detection to an analyst right in Slack)
Enabling these slackbot features will ensure that even on the weekends, security visibility and responses are constantly handled promptly.
Ticketing Assignment Channel
Now that there is adequate visibility around vulnerabilities and directions, these vulnerabilities can be formally tracked for compliance purposes. As we all know, it is vital to have proper change control to ensure no mistakes are made that cannot be tracked down after the fact. Creating a third channel for your third-party ticketing systems can be one of the most beneficial and transparent actions any management team can take. For example, suppose we created a Jira channel that tracked the workflows for all critical vulnerabilities. In that case, we could assign this channel to leadership members to provide visibility into issues being handled in real-time. The following options can be dealt with a slackbot channel into your ticketing system of choice:
- Watch Button ( allows users to track a specific ticket for future updates)
- Comment Button (will enable users to make comments posted into the ticket)
- Assign Button (enables admins to assign specific tickets to individuals or groups)
- Transition button (will allow admins to transition a ticket through workflow stages)
The slackbot has empowered technology teams with the tools to do more with less. Slack users are not required to be near their computer 24/7 to receive notifications on what is happening within their Slack environment. Slack provides its users with the ability to work on the go via the Slack mobile app. Whether it be a CEO just keeping tabs on specific issues or an analyst performing an investigation on a detection while camping on the weekend, Slackbot is genuinely a solution worth implementing. For information on Slack or related vulnerabilities, check out Cybrary today.