███████╗███████╗███╗   ██╗████████╗██████╗ ██╗   ██╗
██╔════╝██╔════╝████╗  ██║╚══██╔══╝██╔══██╗╚██╗ ██╔╝
███████╗█████╗  ██╔██╗ ██║   ██║   ██████╔╝ ╚████╔╝ 
╚════██║██╔══╝  ██║╚██╗██║   ██║   ██╔══██╗  ╚██╔╝  
███████║███████╗██║ ╚████║   ██║   ██║  ██║   ██║   
╚══════╝╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝   ╚═╝   
  ---
  automate employee alerting and interactions
  

A Python-based Slack app that automates the delivery of security alerts generated in Splunk to the relevant team members within a Slack workspace. It also integrates with SolarWinds ServiceDesk to update incidents automatically. Tailored for security teams, this bot with it's current alerting capabilities aims to improve response times and reduce manual workload by automating notifications and interactions for unauthorized document downloads.

Prerequisites

• Python 3.x
• pip (Python package manager)

Installation

1. Clone This Repository:

   git clone https://github.com/m-wentz/sentry

2. Navigate to the App Directory:

   cd sentry

3. Install Required Packages:

   pip install -r requirements.txt

Configuration

Disclaimer: This application uses specific key-value pairs based on our unique alerting setup in Splunk. When configuring this app for your use, you will need to adjust these key-value pairs to align with the alerts generated by your Splunk instance. Consider this project as a flexible template, designed to inspire and facilitate modifications to meet your specific security alerting needs.

To configure the application, you'll need to set up various environment variables that the app uses to operate. These variables include details about your organization, the Flask server settings, and credentials for Slack and ServiceDesk integrations. Follow these steps to configure your environment:

1. Rename the .env.example File:
   • Rename the provided .env.example file to .env.
   • This file will store your configuration settings.
2. Organization's Name:
   • ORG_NAME: Enter the name of your organization. Used in application context.
   • Example: ORG_NAME=MyCompany
3. Flask Server Configuration:
   • FLASK_HOST: Set the host IP address for the Flask server. Use 127.0.0.1 for localhost, or 0.0.0.0 to make the server publicly available.
   • FLASK_PORT: Enter the port number for the Flask server. The default Flask port is 5000.
   • Example:

     FLASK_HOST=127.0.0.1\nFLASK_PORT=5000

4. SSL Certificate and Key:
   • SSL_CERT_PATH: Provide the path to your SSL certificate file for HTTPS connections.
   • SSL_KEY_PATH: Provide the path to your SSL private key file.
   • Ensure you have a valid SSL certificate for secure connections.
   • Example:

     SSL_CERT_PATH=path/to/certificate.crt\nSSL_KEY_PATH=path/to/private.key

5. Slack Integration:
   • SLACK_TOKEN: Enter your Slack API token for integrating with Slack services.
   • Format: xoxb-XXXXXXXXXXXX-TTTTTTTTTTTTTT
   • OAuth Scopes: Your Slack app will need the following OAuth scopes enabled:
     • channels:history: To view messages and other content in public channels that the app has been added to.
     • chat:write: To send messages as the app.
     • im:history: To view messages and other content in direct messages that the app has been added to.
     • users:read: To view people in a workspace.
     • users:read.email: To view email addresses of people in a workspace.
   • Interactivity: Interactivity must be enabled for your Slack app to receive and respond to interactive events. You will need to provide a valid public Request URL that your Flask application can handle.
6. ServiceDesk Integration:
   • SD_TOKEN: Enter the token for authenticating with the ServiceDesk API.
   • Format: "Bearer <your_service_desk_token>"
   • SD_URL: Set the base URL for the ServiceDesk API endpoints.
   • SD_UID: Enter User ID for the ServiceDesk user updating the incident.
   • Example:

     SD_TOKEN=Bearer your_service_desk_token\nSD_URL=https://api.samanage.com/incidents\nSD_UID=12345678

7. Slack Channel for Feed:
   • FEED_CH: Enter the Channel ID for the feed in Slack.
   • Example: FEED_CH=I7JQLKNXYBR

Usage

After you have installed and configured the application, you can begin using it by following these steps:

1. Starting the Flask Web Server:

python run.py

Ensure you are in the root directory of the project when you execute this command. The server should start, and you'll see output indicating that it's running on the configured host and port.

2. Testing the Web Server:

Testing the web server is important to ensure it's correctly receiving and processing the alerts from Splunk. You can simulate a Splunk post request using curl or Postman.

• Using curl: Execute a command similar to the following, replacing the URL and JSON data with the appropriate values for your setup:

  curl -X POST http://127.0.0.1:5000/alert -H 'Content-Type: application/json' -d '{"key1": "value1", "key2": "value2"}'

• Using Postman: Set up a new POST request with the web server's URL and the necessary headers and body to mimic the Splunk alert.

After successfully sending the simulated request, verify that the Flask server processes it correctly and performs the expected actions, such as posting a message to Slack or updating an incident in SolarWinds ServiceDesk.

Contributing

As a personal project, I am currently the sole contributor. While I appreciate interest in the project, I am not seeking external contributions at this time. However, feel free to fork the repository and experiment with your own ideas!

If you have any suggestions or feedback, you're welcome to open an issue on GitHub. I'm always interested in hearing how others are using the project or ways it might be improved for personal use cases.

Thank you for your interest and support!

Let's Connect!