Notification For Teams

crowdsec
1

I thought I’d share our config to send ban notifications to our Teams.
To make this work, you need to Use the “Connectors” portion of teams to make an Incoming Webhook.
Once you do that, you’ll have a Teams URL you can post to which will put a notification in the channel.

I’m no expert in notifications, I just put this together from the examples… It is useful for us… it allows us to easily see if we blocked an IP and when and potentially address a false positive.
If anyone has improvements, I’d enjoy seeing them.

This is for Crowdsec 1.2 (or greater?)
This text is in our /etc/crowdsec/notifications/http.yaml

# Don't change this
type: http

name: http_default # this must match with the registered plugin in the profile
log_level: info # Options include: trace, debug, info, warn, error, off

format: |  # This template receives list of models.Alert objects. The request body would contain this.
  {{range . -}}
  {{$alert := . -}}
  {{range .Decisions -}}
  {
    "@context": "https://schema.org/extensions",
    "@type": "MessageCard",
    "potentialAction": [
        {
            "@type": "OpenUri",
            "name": "View Shodan",
            "targets": [
                {
                    "os": "default",
                    "uri": "https://www.shodan.io/host/{{.Value}}"
                }
            ]
        },{
            "@type": "OpenUri",
            "name": "View Whois",
            "targets": [
                {
                    "os": "default",
                    "uri": "https://www.whois.com/whois/{{.Value}}"
                }
            ]
        },{
            "@type": "OpenUri",
            "name": "View AbuseIPDB",
            "targets": [
                {
                    "os": "default",
                    "uri": "https://www.abuseipdb.com/check/{{.Value}}"
                }
            ]
        }

    ],
    "sections": [
        {
            "facts": [
                {
                    "name": "Scenario:",
                    "value": "{{.Scenario}}"
                },
                {
                    "name": "Duration:",
                    "value": "{{.Duration}}"
                },
                {
                    "name": "IP:",
                    "value": "{{.Value}}"
                }
            ],
            "text": ""
        }
    ],
    "summary": "IP Banned {{.Value}}",
    "themeColor": "0072C6",
    "title": "IP Banned  {{.Value}}"
  }
  {{end -}}
  {{end -}}

#enter your webhook URL here
url: https://xxxxxxx.webhook.office.com/webhookb2/xxxxxxxxx

method: POST

# eg either of "POST", "GET", "PUT" and other http verbs is valid value.

# headers:
#   Authorization: token 0x64312313


# skip_tls_verification:  # either true or false. Default is false

#group_wait: 5s # duration to wait collecting alerts before sending to this plugin, eg "30s"

# group_threshold: # if alerts exceed this, then the plugin will be sent the message. eg "10"

# max_retry: # number of tries to attempt to send message to plugins in case of error.

# timeout: # duration to wait for response from plugin before considering this attempt a failure. eg "10s"

It generates this:

2021-09-29_8-48-48
2021-09-29_8-48-48983×271 23 KB

1 Like
2

Thanks a lot! Highly appreciated :slight_smile:

3

This looks great! Thanks for sharing!