ChatOps is a big theme these days. IT operations, software engineers, security professionals, and many more utilize ChatOps as a popular way to collaborate with team members in real-time, and in one central location. Slack is often the app of choice for ChatOps; they have a robust API along with in-depth documentation on how to integrate with their product. They’ve also developed interactive features to help improve user experience overall.
We’re heavy users of Slack at Komand. Not only just for collaboration, but for status tracking, monitoring of all sorts, alerting, and day-to-day activity updates. We’ve also talked with many security teams about ChatOps, security operations, and how these two fit together. An ever popular use case we hear is one coined by the Slack security team themselves, distributed security alerting.
In a nutshell, distributed security alerting is the concept of sending activity confirmation directly to the involved user when an anomalous activity happens. This process is facilitated via chat apps like Slack, and goes something like this, as demonstrated in Ryan Huber’s article covering this topic:
- Your monitoring system notices something suspicious
- A bot sends the employee a message in Slack asking if they did $thing
- If the employee confirms it was them, the alert is resolved and we’re done here. If the employee tells the bot it was not them OR they don’t respond within a few minutes, we escalate the alert to a security team
- If the alert requires action, the security team contacts the employee and begins investigating
Ryan Huber, Distributed Security Alerting
As it stands, automating the process of detection and verification is already a win for security teams—it saves them from a mountain of alerts, and notifies users of activity immediately when it’s timely and relevant. But this can go a step further.
What if you could not only confirm activity in real time, but also automate follow on steps? At Komand, we’ve built a deeper integration with Slack to do just this. And you can add this automation without fidgeting with a ton of Python scripts.
We call this feature "Chatbot Response Prompts".
Think of a “Response Prompt” as a Slack-facilitated human decision. When an activity occurs, say a privilege escalation, a user can be notified immediately of this activity, and can confirm if they did or did not perform it right in Slack.
If they did perform it, they’ll get a Duo push notification for them to 2-factor confirm the activity. If they did not perform it, the activity will be escalated, and the involved user accounts will be disabled automatically. A timeout option can be set, as well, so if a user does not respond to the prompt in a timely fashion, action can be taken to mitigate a possible threat.
We’ve also integrated Slack’s interactive message buttons to make the Slack response prompt as concise and as actionable as possible.
We’re thrilled to introduce this much anticipated feature today! Not only can Komand users continue to build out customized workflows with little to no code, but they can now extend the robust functionality of our automation layer to unify many ChatOps+SecOps use cases in one platform.
If you’re a Komand customer, you can upgrade immediately to get started with the new "Chatbot” functionality, including response prompts.
If you’d like to see response prompts in action, we recently hosted a security ChatOps webinar. Our CEO, Jen Andre, co-hosted with Datadog’s CSO, Andrew Becherer, to showcase this new feature, and additional ChatOps use cases that will help you save time and do more with the resources you have.
There was a ton of good info from the webinar, especially around success criteria, so you'll want to see this webinar recording.