Webhooks for LogRhythm

Steps

1. Add a webhook to your Slack team.

2. Create an AIE alarm with fields that you want to pass to your webhook.

3. Create a powershell script accepting the fields as parameters:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
### Define this variables in actions.xml when creating the SmartResponse plugin
param(
[string]$AlarmId,
[string]$AlarmRuleName,
[string]$AlarmDate,
[string]$MessageClass
)

<### Update these ###>
#Location of Send-SlackMessage.ps1 - https://github.com/jgigler/Powershell.Slack
$ref = "PATH_TO_FILE/Send-SlackMessage.ps1"

#Your Slack Webhook URL
$WebhookURL = "https://hooks.slack.com/services/XXXXXXXXXXXXXXXXX"

#Your LR Web Console URL
$Url = "https://YOUR_SMARTCONSOLE_LINK/alarms/" + $AlarmId
<####################>

#Set webhook payload
$MyFields = @(
    @{
        title = $AlarmRuleName
        value = "<"+$Url+"|Alarm Link>"
        short = 'true'
    }
    @{
        title = "Classification"
        value = $MessageClass
        short = 'true'
    }
)

#Send Webhook
. $ref
$notification = New-SlackRichNotification -Fallback $AlarmRuleName -AuthorName $AlarmDate -Fields $MyFields
Send-SlackNotification -Url $WebhookURL -Notification $notification

4. Create the actions.xml manifest with the same parameters/fields:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<?xml version="1.0" encoding="utf-8"?>
<remv1:Remediation-Plugin xmlns:remv1="RemediationVersion1.xsd" Name="Slack Webhook - Basic Info">
  <remv1:Action Name="Send Webhook" Command="powershell.exe">
    <remv1:ConstantParameter Name="Script" Switch="-file PATH_TO_FILE/basic.ps1" Order="1" />
    <remv1:StringParameter Name="AlarmId" Switch="" Order="2"> <remv1:DefaultInput> <remv1:AlarmId /> </remv1:DefaultInput> </remv1:StringParameter>
    <remv1:StringParameter Name="AlarmRuleName" Switch="" Order="3"> <remv1:DefaultInput> <remv1:AlarmRuleName /> </remv1:DefaultInput> </remv1:StringParameter>
    <remv1:StringParameter Name="MessageClass" Switch="" Order="Unsorted"> <remv1:DefaultInput> <remv1:MessageClass /> </remv1:DefaultInput> </remv1:StringParameter>
    <remv1:StringParameter Name="AlarmDate" Switch="" Order="4"> <remv1:DefaultInput> <remv1:AlarmDate> <remv1:TimeFormat TimeZone="Eastern Standard Time" FormattingString="MMMM dd, yyyy" /> </remv1:AlarmDate> </remv1:DefaultInput> </remv1:StringParameter>
  </remv1:Action>
</remv1:Remediation-Plugin>

5. Create your SmartResponse Plugin using the powershell script and manifest.

6. Set your SmartResponse as an action to your AIE alarm, mapping the correct parameters: .

7. Trigger the alarm to test the webhook: .

Examples . . . .

Comments

comments powered by Disqus