Issue
Your SOC wants to receive notifications in a Google Chat Space when a new Red Canary threat is published. However, Google Chat is not a built-in option in Red Canary's Automate Playbook actions.
Environment
Google Workspace
Resolution
Create a new Automate Playbook (optional)
- In your Red Canary portal, using the left sidebar, navigate to Automation > Playbooks.
- Click the "Create New Playbook" button
- Give your playbook a meaningful name, like "Google Chat Threat Notification".
Configure the "Invoke Webhook or API" action
- Open your Google Chat Space, expand the Space menu, and select "Apps & integrations".
Note: A Space Manager may need to perform this step. - Click "Add webhooks", enter "Red Canary" as the name, and click Save.
- Click the three dots next to the Red Canary webhook and select "Copy link".
- In your Red Canary portal, open the Playbook that you created.
- Click "Add Action", and select "Invoke Webhook or API" from the list of supported actions, and click "Add to Playbook".
- Paste the webhook link into the URL field.
- Paste the following into the HTTP Headers section:
Content-Type=application/json
- Select "Custom Payload" from the Payload dropdown.
- Paste the following into the Payload field and customize it to fit your use case:
{
'text': '$Detection.headline \n\n Severity: $Detection.severity \n Endpoint: $Endpoint.hostname \n Domain: $EndpointUser.domain \n User: $EndpointUser.username_without_domain \n Published: $Detection.published_at \n \n Details: $Detection.details \n \n Link: $Detection.url \n--'
} - Click Save.
- To test your Playbook, select "Run" under the left Actions menu, and select a Threat. The notification should appear in your Google Chat Space.
Comments
0 comments
Please sign in to leave a comment.