2cab1e3c70
Improve Makefile |
||
|---|---|---|
| cloudformation | ||
| docs | ||
| LICENSE | ||
| README.md | ||
README.md
MozDef-Triage-Bot
A Slack bot that facilitates triaging MozDef alerts by automating outreach to Mozillians
slack-triage-bot-api
Deployment
To deploy the slack-triage-bot-api into AWS
- create the IAM user that MozDef will use to interact with the Lambda function
and SQS queue
make deploy-mozdef-slack-triage-bot-user - determine the Slack Client Secret
- This can be done by going to the Slack App's configuration (at a URL like
https://api.slack.com/apps/ABCDE123AB/general). - Navigate to https://api.slack.com/apps
- Click your app to get to the confiruation page
- Find the
Client Secretin theApp Credentialssection
- This can be done by going to the Slack App's configuration (at a URL like
- Run the make command for the environment you want
DEV_SLACK_CLIENT_SECRET=0123456789abcdef0123456789abcdef make deploy-mozdef-slack-triage-bot-api
or
DEV_SLACK_CLIENT_SECRET=0123456789abcdef0123456789abcdef make deploy-mozdef-slack-triage-bot-api-dev
depending on the account
Testing
You can test invoking the function by passing the email address of the user you want to send a message to and calling
EMAIL_ADDRESS=user@example.com make test-mozdef-slack-triage-bot-api-invoke
which will pass
{
"identifier":"9Zo02m4B7gIfixq3c4Xh",
"alert":"duo_bypass_codes_generated",
"identityConfidence":"lowest",
"summary":"DUO bypass codes have been generated for your account. ",
"user":"user@example.com"
}
to the API which will return the JSON response from Slack of the message that was sent to the user.
You can also test the API Gateway interface by running
make test-mozdef-slack-triage-bot-api-http
which will hit the /test API endpoint and get back a 200 API request received
You can also visit the /error endpoint to get a 400 or any other endpoint to get a 404
Discovering the SQS URL containing user responses
To discover the URL of the SQS queue into which user responses are sent, call
make discover-sqs-queue-url
which will return a value like
{"result": "https://sqs.us-west-2.amazonaws.com/012345678901/MozDefSlackTriageBotAPI-SlackTriageBotMozDefQueue-ABCDEFGHIJKL"}
Discovering the Lambda function name
Call the lambda:ListFunctions API and filter the results based on the name. You can see an example of this by running the make command
make discover-lambda-function-name
which will return a value like MozDefSlackTriageBotAPI-SlackTriageBotApiFunction-1N9KLDX1926F3
Fetching User API Keys
You can fetch the User API keys from the CloudFormation outputs
make show-user-credentials
Integrating MozDef and the MozDef-Triage-Bot
The CloudFormation templates in this repo provision an AWS IAM user as well as the SQS queue which MozDef receives messages from.
To integrate MozDef with the bot
- Deploy the
slack-triage-bot-user.yamlCloudFormation template - Deploy the
slack-triage-bot-api.yamlCloudFormation template - Gather the 3 sets of information you'll need to put into the
MozDef-deployAnsible repo to configure MozDef- The API keys
- either look at the stack outputs in the user stack or run
make show-user-credentials
- either look at the stack outputs in the user stack or run
- The SQS Queue name, AWS region and AWS account ID
- either look at the stack outputs in the api stack or run
make discover-sqs-queue-url
- either look at the stack outputs in the api stack or run
- The Lambda function name
- either look at the stack outputs in the api stack or run
make discover-lambda-function-name
- either look at the stack outputs in the api stack or run
- The API keys
The API keys will grant MozDef permission to both invoke the lambda function as well as receive messages from the SQS queue
Slack
Configuring in Slack
- Interactive Components
- Interactivity
- Request URL
https://example.com/slack/interactive-endpoint
- Request URL
- Select Menus
- Options Load URL
https://example.com/slack/options-load-endpoint
- Options Load URL
- Interactivity
- OAuth & Permissions
- OAuth Tokens & Redirect URLs
- Redirect URLs
https://example.com/redirect_uri
- Redirect URLs
- Scopes
- Bot Token Scopes
users:read.email: https://api.slack.com/methods/users.lookupByEmailusers:read: This is required because of users:read.emailim:write: https://api.slack.com/methods/conversations.openchat:write: https://api.slack.com/methods/chat.postMessage
- Bot Token Scopes
- OAuth Tokens & Redirect URLs
- Install app