Securitybot is an open-source implementation of a distributed alerting chat bot, as described in Ryan Huber’s blog post . Distributed alerting improves the monitoring efficiency of your security team and can help you catch security incidents faster and more efficiently. It should be relatively easy to install the listed requirements in a virtualenv/Docker container and simply have the bot do its thing. Dropbox also provide a simple front end to dive through the database, receive API calls, and create custom alerts for the bot to reach out to people as desired.
Securitybot was designed to be as modular as possible. This means that it’s possible to easily swap out chat systems, 2FA providers, and alerting data sources. The only system that is tightly integrated with the bot is SQL, but adding support for other databases shouldn’t be difficult. Having a database allows alerts to be persistent and means that the bot doesn’t lose (too much) state if there’s some transient failure.
The bot itself performs a small set of functions:
Messaging, 2FA, and alert management are provided by configurable modules, and added to the bot upon initialization.
Securitybot is designed to be compatible with a wide variety of messaging systems. We currently provide bindings for Slack, but feel free to contribute any other plugins, like for Gitter or Zulip, upstream. Messaging is made possible by
securitybot/chat/chat.py which provides a small number of functions for querying users in a messaging group, messaging those users, and sending messages to a specific channel/room. To add bindings for a new messaging system, subclass
You’ll need a database called
securitybot on some MySQL server somewhere. A function called
init_sql is provided and located in
securitybot/sql.py that will initialize SQL. Currently it’s set up to use the host
localhost with user
root and no password. You’ll need to change this because of course that’s not how your database is set up.
You’ll need a token to be able to integrate with Slack. The best thing to do would be to create a bot user and use that token for Securitybot. You’ll also want to set up a channel to which the bot will report when users specify that they haven’t performed an action. Find the unique ID for that channel (it’ll look similar to
C123456 ) and be sure to invite the bot user into that channel, otherwise it won’t be able to send messages.
For Duo, you’ll want to create an Auth API instances, name it something clever, and keep track of the integration key, secret key, and auth API endpoint URI.
Take a look at the provided
main.py in the root directory for an example on how to use all of these. Replace all of the global variables with whatever you found above. If the following were all generated successfully, Securitybot should be up and running. To test it, message the bot user it’s assigned to and say
hi . To test the process of dealing with an alert, message
test to test the bot.