ArcSight Rule Action – Telegram Message

This tutorial will show you how we, in CyberSIEM, send Telegram messages from ArcSight.

How does it work?

In this tutorial, we will create a Telegram Bot. Telegram Bot will able to send messages using API.

We will add the Bot to the Telegram group, and we will send messages to this group from ArcSight using the CounterACT Connector.

Let’s Start!

First, download from the link below the script and the parser:
https://www.cybersiem.com/download/telegram-bot/

Create Bot:

You can find more information about Telegram bots here: https://core.telegram.org/bots

To create the Bot follow these steps:

  1. Open the Telegram App (In your mobile or desktop)
  2. Search for BotFather
  3. Enter Command: /newbot
  4. Give a name to your bot: e.g. CyberSIEM-DEMO
  5. Choose a user name for your bot (Must end with ‘lab’): e.g. CyberSIEM_DEMO_bot
  6. You will get a confirmation for your bot with API: e.g. 788742545:AAFblwJ9foxd9lC5ci_YbzmgICQdIh-0ML8

Congratulations! Now you have your new bot.

Get Chat ID:

Any conversation with the bot has a unique Chat ID, the bot will need this ID to know where to send the message. Of course, you can use the same bot for a few conversations, and send different alerts to each group.

So before we find the Chat ID, we need to create one.

Create a group, and add your bot as a member. Send the command: “\start”. This will start the bot in your Chat.

Now we will use Telegram API to get the Chat ID. put the next address in your browser and replace the API token with your token:

https://api.telegram.org/bot[API_TOKEN_HERE]/getUpdates
(e.g. https://api.telegram.org/bot788742545:AAFblwJ9foxd9lC5ci_YbzmgICQdIh-0ML8/getUpdates)

Your results will look like this:

{“ok”:true,”result”:[{“update_id”:819150214,”message”:{“message_id”:4,”from”:{“id”:148710995,”is_bot”:false,”first_name”:”CyberSIEM”….

The Chat ID, in this case, will be 148710995.

Sending Message Script:

Now we will create the sending message script, by using Telegram API. We will write the script in PowerShell, but you can use any scripting language.

If you want to learn more about PowerShell and Telegram you can read here:
https://www.itdroplets.com/automating-telegram-messages-with-powershell/

You can use the script from the shared folder above.

Now change the “MyToken” variable to your Bot’s token, and save the script on the connector server. We recommend creating an ArcSight/Scripts folder.

Install CounterACT Connector:

Now we will install a CounterACT connector. This connector allowed as to run a script from rule action, or manually from Arcsight Console.

Install by following these steps:

  1. To install the new ArcSight Smart Connector, type “Arcsight Flexconnector CounterACT”.
  2. Open the parser file “Telegram.counteract.properties”.
  3. In the last line change the file path to your script path. Be careful to change only the marked part: “command[0].action=powershell “E:\\ArcSight\\Scripts\\Telegram\\Telegram-SendMessage.ps1” -ChatId ${ChatID} -Message “‘${Message}'””.
  4. Save the parser file in “{CONNECTOR_FOLDER}\current\user\agent\flexagent”.
  5. Restart the connector service.

Now everything is ready! Let’s make some fun.

Send Telegram Messages from ArcSight:

  1. Open your rule action.
  2. Create a new Rule, under the “Actions” tab add new “Execute Connector Command” Action.
  3. Choose your connector CounterACT.
  4. Choose Telegram Command.
  5. Under the “Chat ID” attribute insert the Chat ID that we found earlier.
  6. Under the “Message” attribute insert your message. You can add ArcSight fields and variable, e.g. “$sourceUserName”.
  7. Under the “MessageSound” attribute you can set “1” for a message with sound, or “0” for a silent message.

The Action results will be:

That’s it 🙂

Ofek Sher, SIEM Orchestration Specialist

Post-Integration

Subscribe to our newsletter and stay updated on the latest developments

* indicates required

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on skype
Share on whatsapp
Share on telegram
Share on print
Share on email

SUBSCRIBE TO OUR NEWSLETTER

And stay updated on the latest developments !

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to content