I thought I’d share our config to send ban notifications to our Teams.
To make this work, you need to Use the “Connectors” portion of teams to make an Incoming Webhook.
Once you do that, you’ll have a Teams URL you can post to which will put a notification in the channel.
I’m no expert in notifications, I just put this together from the examples… It is useful for us… it allows us to easily see if we blocked an IP and when and potentially address a false positive.
If anyone has improvements, I’d enjoy seeing them.
This is for Crowdsec 1.2 (or greater?)
This text is in our /etc/crowdsec/notifications/http.yaml
# Don't change this
type: http
name: http_default # this must match with the registered plugin in the profile
log_level: info # Options include: trace, debug, info, warn, error, off
format: | # This template receives list of models.Alert objects. The request body would contain this.
{{range . -}}
{{$alert := . -}}
{{range .Decisions -}}
{
"@context": "https://schema.org/extensions",
"@type": "MessageCard",
"potentialAction": [
{
"@type": "OpenUri",
"name": "View Shodan",
"targets": [
{
"os": "default",
"uri": "https://www.shodan.io/host/{{.Value}}"
}
]
},{
"@type": "OpenUri",
"name": "View Whois",
"targets": [
{
"os": "default",
"uri": "https://www.whois.com/whois/{{.Value}}"
}
]
},{
"@type": "OpenUri",
"name": "View AbuseIPDB",
"targets": [
{
"os": "default",
"uri": "https://www.abuseipdb.com/check/{{.Value}}"
}
]
}
],
"sections": [
{
"facts": [
{
"name": "Scenario:",
"value": "{{.Scenario}}"
},
{
"name": "Duration:",
"value": "{{.Duration}}"
},
{
"name": "IP:",
"value": "{{.Value}}"
}
],
"text": ""
}
],
"summary": "IP Banned {{.Value}}",
"themeColor": "0072C6",
"title": "IP Banned {{.Value}}"
}
{{end -}}
{{end -}}
#enter your webhook URL here
url: https://xxxxxxx.webhook.office.com/webhookb2/xxxxxxxxx
method: POST
# eg either of "POST", "GET", "PUT" and other http verbs is valid value.
# headers:
# Authorization: token 0x64312313
# skip_tls_verification: # either true or false. Default is false
#group_wait: 5s # duration to wait collecting alerts before sending to this plugin, eg "30s"
# group_threshold: # if alerts exceed this, then the plugin will be sent the message. eg "10"
# max_retry: # number of tries to attempt to send message to plugins in case of error.
# timeout: # duration to wait for response from plugin before considering this attempt a failure. eg "10s"
It generates this: