LogRhythm to Slack Webhooks

Check out the github repo for example files.

Steps

  1. Add a webhook to your Slack team.
    [ NOT SHOWN ]
  2. Create your AIE alarm with fields that you want to pass to your webhook.
    [ NOT SHOWN ]
  3. Create a powershell script accepting the fields as parameters.
    [ basic.ps1 ]
  4. Create the actions.xml manifest with the same parameters/fields.
    [ actions.xml ]
  5. Create your SmartResponse Plugin using the powershell script and manifest.
    [ NOT SHOWN ]
  6. Set your SmartResponse as an action to your AIE alarm, mapping the correct parameters:

  7. Trigger your alarm, observe the webhook:

Better Examples

auth-failure.ps1

suspicious-ip-inbound.ps1

suspicious-ip-outbound.ps1

privileged-user-group-change.ps1

Credit

jgigler/Powershell.Slack

Leave a Reply