Sending USM Anywhere Notifications to Slack

Role Availability Read-Only Investigator Analyst Manager

From USM Anywhere, you can send an alarm or event notification to a Slack channel to alert team members. This facilitates communication and collaboration within the same messaging tool that your organization uses for incident response Incident response is a business process or plan dictating how an organization handles security incidents such as a security breach or attack.. When you have this integration configured in USM Anywhere, you can create orchestration rules to automatically send these notifications when an event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. or alarm Alarms provide notification of an event or sequence of events that require attention or investigation. matches the rule criteria.

Edition: The Notification integrations are available in the Standard and Premium editions of USM Anywhere.

See the Affordable pricing to fit every budget page for more information about the features and support provided by each of the USM Anywhere editions.

Note: While the direct integration with USM Anywhere is the easiest and most straightforward way to send messages to your Slack team from USM Anywhere, you can use the Amazon Simple Notification Service (SNS) messaging service as an alternative.

In this case, you create the webhook in Slack and then set up the integration in the Lambda function that you created in Amazon Web Services (AWS) to support USM Anywhere messaging. See Sending Notifications Through Amazon SNS and Set Up a Slack Integration through Amazon SNS for more information.

Slack provides a mechanism to create incoming webhooks to post messages from external sources into Slack. They use normal HTTP requests with a JSON payload, which includes the message and some additional options. You must first create this webhook for your Slack team to configure the integration with USM Anywhere.

Important: To add an incoming webhook for the Slack team, you must be the team owner or be a team member where the owner has granted the permission to install apps and custom integrations to all team members. See Sending messages using Incoming Webhooks for more information.

To create the incoming webhook for Slack

  1. Log in to your Slack team and go to https://api.slack.com/incoming-webhooks.

  2. Review the information and click the Getting started with Incoming Webhooks link to open the page for a new configuration.

    Click the link to configure a new incoming webhook for your Slack channel

  3. Click the Create your Slack app button to create a Slack app if you don't have one already.

    The Create an app dialog box opens.

    Create a Slack App dialog box

  4. Click From scratch to create a Slack app if you don't have one already.

    The Create a Slack App dialog box opens.

    Create a Slack App dialog box

  5. Enter a name for the app.
  6. Choose a development Slack workspace you want to use for USM Anywhere notifications.

    7. If you do not already have a channel for this purpose, select the Sign into a different workspace option. You can create a new channel, for example, as either a public or private channel and invite the appropriate team members.

  7. Click Create App.

    The Basic Information page opens.

    The Slack Basic Information Dialog Box

  8. Click Incoming Webhooks.

    The Slack Incoming Webhooks page

  9. Click the off icon to activate the incoming webhooks.

    10. This turns the icon on and displays it as green.

  10. Choose the channel you want to use for USM Anywhere notifications.
  11. Click Request to Add New Webhook to send the request.

  12. When the request is approved, you can see the webhook URL.

    The Slack Webhook URL

  13. Copy the displayed Webhook URL.

After you have generated and copied the incoming webhook for your Slack team, you can configure the Slack connection in USM Anywhere. After this configuration is in place, any orchestration rules set up for Slack notification will send the triggered notification to the Slack team channel.

To configure the connection between USM Anywhere and the Slack channel

  1. In the USM Anywhere web user interface (UI), go to Settings > Notifications.
  2. In the left navigation panel, click Slack.

  3. In the Slack Webhook URL field, paste the webhook URL that you copied in the Slack API tool.

    Specify the Slack incoming webhook in USM Anywhere

  4. Click Save Credentials.

Create an orchestration rule to match new alarms or events and trigger a notification to the Slack channel. You can use an existing alarm or event with the desired characteristics to easily set the matching conditions for the rule.

To create an orchestration rule to trigger a Slack notification

  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.

  3. Click Create Rule and select Create Notification Rule.

    Create a notification rule from the alarm details

  4. You have already suggested property values to create a matching condition, but if you want to add new property values, click Add Condition.

    Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

    Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.

    Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.

  5. (Optional.) Click Add Group to group your conditions.

    Note: See Operators in the Orchestration Rules for more information.

    6. Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.

  6. Click Next.

    Rules Verifications Dialog Box

    Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

  7. Enter a name for the rule.
  8. (Optional.) Enter a description for identifying this rule.
  9. For Notification Method, select the Slack option.

  10. Enter the Slack Alert Username.

    The username must be a valid team member for the Slack channel.

    Set options to launch the Slack notification for the orchestration rule

  11. Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.

    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      Specify multiple occurances to match for the rule

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

  12. Click Save.

    The created rule displays in the list of rules. You can see it from Settings > Rules > Orchestration Rules. See Orchestration Rules for more information.

    13. Important: It takes a few minutes for an orchestration rule to become active.

If you prefer to use Amazon SNS to forward notifications to your Slack channel, you can add the webhook that you created to the Lambda function in your AWS account.

Important: For this integration type, you do not add the Slack webhook in USM Anywhere. When you create the orchestration rule, you select the Amazon SNS notification method.

Before you can complete this integration, you must have an SNS topic and a Lambda function for USM Anywhere notifications set up in your AWS account (see Set Up an Amazon SNS Topic) and a Slack incoming webhook (see Create the Slack Webhook).

To integrate the Slack webhook with the USM Anywhere through Amazon SNS

  1. In the Lambda function code, paste this code and replace [INSERT_WEBHOOK_URL] with the Slack webhook URL.

  2. Use the default Role setting (Create a new role from templates) and specify the Role name as lambda_basic_execution.

    Set the role and timeout settings for handling USM Anywhere notifications

  3. Expand the Advanced settings and set the Timeout to 10 seconds.
  4. Click Next.
  5. Click Create function.

To check the integration with Slack

  1. Go to your Lambda function, click Monitoring, and verify the Invocation Count graph data.
  2. Check your Slack channel for notifications.