Dome9 Integration With Slack

Properly logging and storing your security access logs is always important, and Dome9 logs are no exception to this. Through our SNS integration, customers are already able to take events and push them into the log management or SIEM tool of their choice. Sometimes though, instead of just pushing to a SIEM you might want to send the events to Slack as well for quick, real time updates. This is exactly what one of our customers asked for, so I thought I’d share the process with you.  All images in this blog are clickable for a zoomed perspective.

Because Dome9 events integrate with SNS, sending them to Slack is easy to do via Lambda. This is a slightly modified and expanded version of the instructions on the AWS cloudwatch-to-lambda blueprint.

Enable Dome9 to push events to SNS

Steps here: https://dome9-security.atlassian.net/wiki/display/DG/Dome9+SNS+Events+Integration+-+How+to

From here we need to set up Slack to take the incoming connections from Lambda, and then create the function to push the messages.

Set up the webhook on slack:

• Navigate to https://<your-team-domain>.slack.com/services/new
• Search for and select “Incoming WebHooks”.
• Choose the default channel where messages will be sent and click “Add Incoming WebHooks Integration”.
• Copy the webhook URL from the setup instructions and use it in the next section.

Create the Lambda Function

• Navigate to Lambda > New Function
• Select Blank Function
• On the grey dashed box, search for and select SNS
• Select the SNS topic we set up earlier and check Enable Trigger
• Delete the code in the text box and paste in the code from here: https://github.com/alpalwal/D9SnsToSlack/blob/master/SNStoSlack.js

Add two Environment variables – slackChannel and hookUrl

• Set the Slack channel  for the first
• Paste your full webhook URL in the second box

*Optional* You can add in a third variable to reduce alerting noise. The filter is called messageTypeBlacklist and you can add in a pipe delimited list of event types that you don’t want to alert on. The most common are InstanceStateChanged InstanceCreatedEvent and InstanceTagsChangeDetectedEvent.

In the Role choose ‘Create new role from template(s) and give it a name:

Leave the rest of the settings alone and save the function.

Time to test!  Try logging out/back in or creating a Dome9 Dynamic Access Lease.  You should see something like this in Slack:

That’s it.  Enjoy your Dome9 -> Slack integration!