IBM Security Verify Webhook Integration
Introduction:
IBM Security Verify offers comprehensive Identity Threat Detection and Remediation (ITDR) capabilities that can identify anomalous login behaviors and threat patterns indicating attacks to generate threat events. These threat events can be reviewed by the Admin in threat reports. Additionally, Admin can also configure rules for proactive remediation actions to remediate suspicious traffic (eg: block traffic from IPs that are flagged as suspicious in critical alerts, etc). This blog talks about the integration of threat events to external tools such as SIEM via notification webhooks. With this Notification Webhooks, Admin can define multiple webhooks for different tools and each webhook can have multiple clauses to filter the events.
As an example, we have used Slack as an external tool to showcase how to configure notification webhooks to send the threat events to external tools. Similarly, these notification webhooks can be used for integration with PagerDuty or other external tools.
Configure Notification Webhooks:
- Login into your tenant with admin privileges.
- Go to your profile and “switch to admin”.
- Go to Integrations -> Notification Webhooks and click on
Create Webhook to create a notification webhook.
- Provide a name for the notification webhook and contact details. Here we will show Slack integration via notification webhooks using cloud functions.
- Provide the external endpoint to receive the threat event. Here we will provide the cloud functions endpoint that will receive the threat event as payload. The cloud function contains code to process threat events into the required format for Slack and send the Slack alert.
- Choose the authentication type compatible with your external endpoint and provide the details.
- Add required headers under the custom headers section.
- Dead letters can be enabled to retry sending the threat event in case of failure to invoke the external endpoint.
- Click on
Next.
- Some predefined events can be enabled directly for notification.
- To send threat events, Click on
Add custom event.
- Provide a name and description for the event.
- Under Interests provide the
Event key property = event_type and Field value = threat to get all threat events via notification.
- Specific threat events can be filtered by adding more clauses.
- Click on
Add to create a filter for notification webhook.
- More events can be added to the same webhook by adding multiple custom events.
- Click on “Create” to create the notification webhook.
- At the right-hand top corner, you can find the option to test the connection to an external endpoint.
- Press on
Send Test to verify the connection to the external endpoint.
- The webhook creation is successful.
Creation of cloud function:
- The cloud functions can be created from here.
- Login to the IBM cloud or the above link using your IBM cloud credentials.
- To find cloud functions from the IBM cloud homepage, search
functions in the search bar.
- To create a new cloud function, click on
Start Creating button.
- Click on
Trigger to create a receive threat event payload.
- Click on
Custom Trigger to create a public endpoint to receive the threat event payload via HTTP request.
- Provide a Trigger name and description.
- The trigger is now created. The endpoints and sample curl request can be found under the Endpoints section.
- To enable sending alerts to Slack, go to connected actions and click on
Add.
- To create a new Action, select
Create New tab and provide the action name and Runtime. Here we will select Python as our runtime. Then click on Create & Add. If you have already created an action, you can select the action under Select Existing tab.
- Click on the created action and write code to send alerts to Slack. A sample code is provided here for reference.
import sys
import requests
import json
def main(dict):
print(dict)
if "test" in dict:
slack_payload = {"text":str(dict)}
else:
slack_payload = {"text":"Alert from notification webhook",
"blocks":[
{
"type": "header",
"text": {
"type": "plain_text",
"text": f"{dict['data']['rule_name']}"
}
},
{
"type": "divider"
},
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": "*" + dict['data']['summary'].replace('[', '`[', 1) + "`*"
}
]
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Start Time:* " + "`" + dict['data']['start_time'] + "`"
},
{
"type": "mrkdwn",
"text": "*End Time:* " + "`" + dict['data']['end_time'] + "`"
},
{
"type": "mrkdwn",
"text": "*Anomalous Event Count*: " + str(dict['data']['anomalous_event_count'])
},
{
"type": "mrkdwn",
"text": "*Severity*: " + dict['data']['severity']
}
]
},
{
"type": "divider"
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Alert Details:*\n"
},
"fields": [
{
"type": "mrkdwn",
"text": "*Top 5 tenants:*\n" + "```" + str(dict['tenantname']) + "```"
}
]
},
{
"type": "divider"
}
]
}
url = "<Provide Slack Webhook URL>"
headers = {"Content-type": "application/json"}
payload = {"text": "Received this message from cloud functions"}
response = requests.request('POST', url,headers = headers, data=json.dumps(slack_payload))
print(response.status_code, response.text)
if response.status_code == 200:
return {"message":"Succefully sent the alert to slack"}
return json.dumps({"status_code": 200, "message": "Received this message from cloud functions"})
- The cloud function activation logs can be found under
Activation Dashboard of cloud functions main page.
- The cloud function endpoint is now ready to receive HTTP requests from notification webhooks and can send alerts to Slack.
- The sample slack alert will look similar to the image below whenever threat events are generated.
- Similarly, python code can be written for sending threat events to PagerDuty or any other tool.
- For more information regarding cloud functions, refer to the documentation page here.
Authors:
- M Krishnakant Achary - IBM Security Verify Analytics
- Nagesh Bhagwat – IBM Security Verify Analytics
- Priti Patil – IBM Security Verify Analytics