Last active
October 22, 2019 12:56
-
-
Save marknca/9c5f20025afe2d322dad4c4e229a36ca to your computer and use it in GitHub Desktop.
Send Deep Security events to Slack via Amazon SNS and AWS Lambda
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Written in Python 3.x | |
# in AWS Lambda, set: | |
# - the runtime to Python 3.x | |
# - the handler to: lambda_function.lambda_handler | |
# in Deep Security output the events to a valid SNS topic | |
# - more at https://help.deepsecurity.trendmicro.com/sns.html?Highlight=sns | |
# connect the AWS Lambda function to the SNS topic via a trigger | |
# - more at https://help.deepsecurity.trendmicro.com/sns.html?Highlight=sns | |
# - or do it via the AWS Lambda Management Console on the web (much, much simpler) | |
# | |
# *** Remember to change line #19 to reflect your Slack webhook | |
# - more at https://api.slack.com/messaging/webhooks | |
import json | |
import urllib.request | |
def update_ops(message): | |
""" | |
Update a Slack channel | |
""" | |
slack_url = "https://hooks.slack.com/services/YOUR_SLACK_WEBHOOK" | |
slack_message = { | |
'username': 'Deep Security', | |
'icon_url': 'http://www.trendmicro.com/aws/wp-content/uploads/2016/04/trend-micro-tball.png', | |
'text': message | |
} | |
headers = { 'Content-type': 'application/json' } | |
request = urllib.request.Request(slack_url, data=bytes(json.dumps(slack_message), encoding="utf-8"), headers=headers) | |
response = urllib.request.urlopen(request) | |
print(response.read()) | |
def lambda_handler(event, content): | |
""" | |
Format and send the incoming Deep Security event to Slack | |
""" | |
result = { 'statusCode': 500, 'message': "" } | |
if not type(event) == type({}): | |
# Not a valid event | |
result['statusCode'] = 500 | |
result['message'] = "Invalid event passed to the Lambda function" | |
else: | |
if event: | |
if 'Records' in event: | |
for record in event['Records']: | |
print("Processing a record...") | |
if 'Sns' in record and 'Message' in record['Sns']: | |
print("Record is an SNS message") | |
deep_security_events = None | |
try: | |
deep_security_events = json.loads(record['Sns']['Message']) | |
print("Records converted and ready for processing") | |
except Exception as err: | |
result['statusCode'] = 500 | |
result['message'] = "Could not convert the SNS message from JSON to a dict\n{}".format(err) | |
if deep_security_events: | |
for i, deep_security_event in enumerate(deep_security_events): | |
message = """There is a security event of type {}.""".format(deep_security_event['EventType']) | |
# valid event types: | |
# - SystemEvent | |
# - PacketLog | |
# - PayloadLog | |
# - AntiMalwareEvent | |
# - WebReputationEvent | |
# - IntegrityEvent | |
# - LogInspectionEvent | |
# | |
# event keys are available in help under "JSON SNS Configuration" | |
# - more at https://help.deepsecurity.trendmicro.com/Events-Alerts/json-event-examples.html?Highlight=json | |
# | |
if deep_security_event['EventType'] == 'SystemEvent': | |
message += "\nThis is a system level event" | |
elif deep_security_event['EventType'] == 'PacketLog': | |
message += "\nIntrusion prevention event" | |
elif deep_security_event['EventType'] == 'AntiMalwareEvent': | |
message += "\nAnti-malware event" | |
elif deep_security_event['EventType'] == 'WebReputationEvent': | |
message += "\nWeb reputation event" | |
elif deep_security_event['EventType'] == 'IntegrityEvent': | |
message += "\nIntegrity monitoring event" | |
elif deep_security_event['EventType'] == 'LogInspectionEvent': | |
message += "\nLog inspection event" | |
if update_ops(message): | |
result['statusCode'] = 200 | |
result['message'] += 'Message #{} sent to Slack\n'.format(i) | |
else: | |
result['statusCode'] = 500 | |
result['message'] += 'Could not send message #{} to Slack\n'.format(i) | |
else: | |
result['statusCode'] = 500 | |
result['message'] = 'Record is NOT an SNS message. Stopping processing' | |
else: | |
result['statusCode'] = 500 | |
result['message'] = 'Event contains 0 records' | |
print(result) | |
return result |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is just a simple skeleton. Lines 74—85 are where you can build out the message you want to appear in Slack depending on the type of event that Deep Security generated.