Integrations
ServiceNow
The ServiceNow integration allows you to connect your ServiceNow account to the application, enabling you to create and manage tickets directly from alerts. This integration helps streamline your incident management and ticketing process by connecting directly with your ServiceNow instance.
Configuration Status
The configuration status of the ServiceNow integration is displayed within the application. If the status is Configured, your ServiceNow account is successfully connected. If the status is Not Connected, you need to configure the integration.
Configuration Steps
Follow these steps to configure your ServiceNow integration.
-
ServiceNow Instance Location:
Enter the URL of your ServiceNow instance in the format https://devXXXX.service-now.com/
.
-
ServiceNow Credentials:
Provide the username and password for your ServiceNow account.
-
ServiceNow Priority:
Set the priority for tickets created from the integration. Enter a value between 1 and 5.
-
ServiceNow Table (Optional):
Specify the ServiceNow table for the tickets. By default, tickets are created in the "incident" table. You can specify other tables like "problem" or "change."
-
ServiceNow Caller ID:
Enter the caller ID for the tickets. Leave this field empty to use the default test account.
After filling in the required fields, click Link Accounts
or Update Config
to save your settings.
Usage
Once configured, the "Create Incident (ServiceNow)" button becomes available in each of the alert views.
Troubleshooting
If you encounter any issues with the integration, check the following:
-
Ensure that your ServiceNow instance URL is correct and accessible.
-
Verify that your ServiceNow credentials are valid and have the necessary permissions.
-
Check if the ServiceNow instance allows API access and if the user has appropriate roles.
-
Refer to the ServiceNow documentation for additional troubleshooting steps.
Slack
The Slack integration allows you to send events and alerts directly to a Slack channel of choice using an incoming webhook. This integration helps you keep your team updated in real-time by sending critical notifications to your preferred Slack channel.
Configuration Status
The status of the Slack integration is displayed within the application. If the status is Configured, your Slack webhook is successfully set up. If the status is Not Connected, you need to configure the webhook.
Configuration Steps
Follow these steps to configure the Slack integration using an incoming webhook.
-
Click the "Add to Slack" Button
Use the "Add to Slack" button in the Slack Integration page to initiate the Slack incoming webhook setup.
-
Authorize the App and Select a Channel
A new window will open, prompting you to select a Slack workspace and authorize the Defused Slackbot. You will need to have sufficient user privileges on the select workspace for installing the Defused Slackbot.
You will also choose a Slack channel where you want to send alerts.
Once authorized, a webhook URL will be automatically generated and configured in your Defused app. This URL will be used to send events to your Slack channel. A notification will confirm the Defused App has been added to your selected channel.
Selecting an Interval
Once you have enabled the incoming webhook, you may configure the frequency of the webhook triggering. The default is 60 minutes, meaning each alert severity will only trigger once during this interval.
Email
The Email integration allows you to receive alerts and notifications directly to your preferred email address. This ensures you are kept informed of critical events even when you are not actively monitoring the application.
Configuration Status
The status of the Email integration is displayed within the application. If the status is Configured, your email forwarding is successfully set up. If the status is Not Configured, you need to enable the email integration.
Configuration Steps
Follow these steps to configure the Email integration for forwarding alerts.
-
Navigate to the Email Integration Page
Go to the Email Integration page in your application.
-
Enable the Email Integration
Click the "Enable" slider to activate email forwarding. This will turn on the functionality to send alerts and notifications to your email address.
-
Configure Email Settings (Optional)
Optionally, you can configure the email interval and external address forwarding. These settings allow you to customize the frequency of email alerts and specify an alternative email address for notifications.
- Frequency (minutes): Set the interval at which you want to receive email notifications. Each alert severity will trigger an email once within this frequency. The default is 60 minutes.
- External Address Forwarding: Enter external email addresses if you prefer to forward alert email to different addresses from the email specified in your Defused account.
Webhooks
Webhooks allow you to define HTTP endpoints that are triggered automatically when specific Defused alert events occur.
Webhook Configuration Fields
Webhook Name (required)
This name is used internally to differentiate between different webhooks. Choose a descriptive name that reflects the purpose or the alert type the webhook is associated with.
Webhook URL (required)
Enter the full URL (including the protocol, e.g., https://
of the endpoint that will receive the webhook data. This URL must be accessible from the internet and capable of handling HTTP POST requests.
HTTP Auth
HTTP Authentication provides three options for authentication:
- (None: No authentication required.)
- Basic: Basic HTTP authentication using a username and password.
- Bearer: Bearer token authentication for secure access.
- API Key: Authentication using an API key included in the request headers.
Select the appropriate authentication method based on your webhook endpoint's security requirements.
Headers
These headers can be used to provide additional context or authentication information required by the receiving endpoint. Headers may be added by clickling the "Add Header" button, after which two input fields for keys and values are added. You may add multiple custom headers.
Defused Alert Fields
Defused alert fields are automatically included in the webhook payload and provide detailed information about the alert event. These fields are enclosed within <<>>
symbols in the JSON data and should not be modified.
Alert Type
Example:"alert": "Vulnerability Exploited"
Attacker IP
Example:"attackerip": "192.168.1.10"
Decoy IP
Example:"decoyip": "10.0.0.5"
Decoy Name
Example:"decoyname": "Decoy-Server-01"
Datetime
Example:"datetime": "2024-06-08T14:32:00Z"
Location
Example:"location": "Data Center 1"
Raw Data
Example:"rawdata": "{ 'event': 'suspicious_activity', 'details': '...' }"
JSON Data Field
Users can add their own JSON elements to the webhook payload. The defused alert fields enclosed within <<>>
symbols must remain unchanged. You can add any custom fields or modify existing ones, as long as the defused alert fields are preserved.
{
"alert": "<>",
"attackerip": "<>",
"decoyip": "<>",
"decoyname": "<>",
"datetime": "<>",
"location": "<>",
"rawdata": "<>",
"customfield": "Your value here"
}
HTTP Representation & Copy as cURL
An HTTP Representation of your currently configured webhook is displayed at the end of the form:
curl -X POST "YOUR_WEBHOOK_URL" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{
"Alert Type": "<>",
"Attacker IP": "<>",
"Decoy IP": "<>",
"Decoy Name": "<>",
"Datetime": "<>",
"Location": "<>",
"Raw Data": "<>",
"Custom Field": "Your value here"
}'
Clicking "Copy as cURL" copies your webhook as a cURL command, enabling easy testing of the endpoint you're adding the webhook to.
Save Webhook
After filling out all the required fields, click the "Save Webhook" button to save your configuration. This will ensure that your webhook is triggered when an alert event matching your criteria occurs.