Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.
Self-service security culture! 🥳
Slack message for the user:
Slack overview message for the security user:
- Tag your Falcon hosts with
email/user/company/com
if their email isuser@company.com
. - Assign compliance policies to your devices in Workspace ONE.
- Fetch a binary release or Docker image from Releases.
- Create a Falcon API token to use in
API Clients and Keys
withRead
permission toHosts
andSpotlight
. - Create Workspace ONE oauth2 API credentials with a read-only role.
- Create a configuration file:
slack:
# slack bot token
token: "XXX"
# Slack user that receives messages if the user is not found
security_user: ["security@mycompany.com"]
# skip sending a security overview if there is nothing to mention
skip_no_report: true
# don't send a message to the user if 'Vacationing' status is set
skip_on_holiday: true
# falcon crowdstrike
falcon:
# falcon api credentials
clientid: "XXX"
secret: "XXX"
# your falcon SaaS cloud region
cloud_region: "eu-1"
# skip vulnerabilities without available patches
skip_no_mitigation: true
# what severity classes you want to skip
skip_severities: ["low"]
# minimum CVE base score to report
min_cve_base_score: 0
# the CVEs you want to ignore
skip_cves: ["CVE-2019-15315"]
# the minimum exprtAI severity you want to filter for
min_exprtai_severity: medium
# vmware workspace one
ws1:
# the api endpoint of your Workspace ONE instance, eg. "https://asXXXX.awmdm.com/api/"
api_url: "https://xxx.awmdm.com/api/"
# your Workspace ONE oauth2 credentials
# Groups & Settings > Configurations > Search for "oauth" > Click > Add with a Reader role
client_id: "XXX"
client_secret: "XXX"
# the location of your Workspace ONE tenant, see 'Region-specific Token URLs'
# https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/UEM_ConsoleBasics/GUID-BF20C949-5065-4DCF-889D-1E0151016B5A.html
auth_location: "emea"
# what policies you want to skip
# leave user or policy blank to ignore it
skip:
- policy: "Disk Encryption"
user: "some_special_user@company.com"
# email domains used in your Slack workspace for filtering
# e.g. for a Slack account user@mycompany.com
email:
domains: ["mycompany.com"]
# any users that shouldn't be in MDM or EDR
whitelist:
- foo@company.com
# what is sent to the user in Go templating
templates:
user_message: |
*:warning: We detected security issues on your device(s)*
Hi {{ .Slack.Profile.FirstName }} {{ .Slack.Profile.LastName }}!
{{ if not (eq (len .Falcon.Devices) 0) }}
One or more of your devices seem to be vulnerable.
Luckily we noticed there are patches available. Please install following patches:
{{ range $device := .Falcon.Devices }}
:computer: {{ $device.MachineName }}
{{ range $vuln := $device.Findings }}
`{{ $vuln.ProductName }}`
{{ end }}
{{ end }}
{{ end }}
{{ if not (eq (len .WS1.Devices) 0) }}
One or more of your devices seem to be misconfigured in an insecure way.
Please check the below policies which are violated:
{{ range $device := .WS1.Devices }}
:computer: {{ $device.MachineName }}
{{ range $finding := $device.Findings }}
- :warning: {{ $finding.ComplianceName }}
{{ end }}
{{ end }}
{{ end }}
Please resolve those issues as soon as possible. In case of any issues, hop into *#security*.
Thank you! :wave:
security_overview_message: |
:information_source: *Device Posture overview* {{ .Date.Format "Jan 02, 2006 15:04:05 UTC" }}
{{ if and (not .Falcon) (not .WS1) }}Nothing to report! :white_check_mark: {{ else }}
{{ range $result := .Falcon }}
:man-surfing: *{{ $result.Email }}*
{{ range $device := $result.Devices }}
:computer: {{ $device.MachineName}}
{{ range $vuln := $device.Findings }}- {{ $vuln.ProductName }} ({{ $vuln.CveSeverity }}) (Open for {{ $vuln.DaysOpen }} days) ({{ $vuln.CveID }}){{ end }}
{{ end }}
{{ end }}
{{ range $result := .WS1 }}
:man-surfing: *{{ $result.Email }}*
{{ range $device := $result.Devices }}
:computer: {{ $device.MachineName }}
Compromised: {{ $device.Compromised }}
Last seen: {{ $device.LastSeen.Format "Jan 02, 2006 15:04:05 UTC" }}
{{ range $finding := $device.Findings }}- :warning: {{ $finding.ComplianceName }}{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{ if .Errors }}
:warning: *Errors:*
{{ range $err := .Errors }}
- {{ $err }}
{{ end }}
{{ end }}
- Run
css -config=your-config.yml -log=debug -dry
to test. - See the security overview popup to you in Slack!
- Now run it for real with
css -config=your-config.yml
.