CREATE AN EVENT
In that, I wanted to create an event that said, if someone logs in and they’re logged in for more than 16 minutes, I want to know about it. This might not be in your environment. This is more of just a triggered event for a correlation event. So I can actually demonstrate this, for example. I want to go into here under the SSH log on open too long definition. I’ve created a correlation, and that correlation is set up to look at a sequence of events that must be satisfied within 16 minutes. The two events are one SSH session open and an SSH session closed.
If that does not happen for that particular unique connection or that unique situation, send an alert. I’ve created an alert, and I include some fields here for the user string to know who the user was. Then I’ve gone into the notifications and created an actual notification called SSH session open too long as a Slack notification, colored it red. In the webhook URL, what you would do is in the Discord channel, edit the channel and add an integration for a webhook.
Once you’ve selected the channel… In my case, I’ve used Graylog as the channel. You copy that URL, and you paste it in here except for one small twist. Paste the entire URL in here, but at the end of it, put forward-slash Slack. That will be transmitted, and Discord will take that notification as a Slack-type message integration and build it out. As you’ll see here down below, there is an execute test notification. Right within Graylog, whether it’s a Slack notification or this modified Slack notification to transmit to Discord, you can trigger it and test it to ensure that it’s working.
Going to our documentation, we find more advanced documentation regarding setting up Slack alerts and going through and creating the webhook and all this good stuff. Some things are online to send tests from different endpoints, whether it be bash shell with curl or PowerShell or command prompt within DOS.
As you’ll see, once we’ve built this out, my alerts are set up, the events are set up, and they’re happening because they’re being triggered. What it did was send this to my individual channel. It was a Graylog channel and is highlighted in red the actual SSH log on open to the long message that we built. The actual user is Jdar and the timestamp. Hopefully, it’s something new that you might want to try or just something you didn’t know about. I wanted to highlight this quick modification configuration to send this notification to a Discord channel.
As always, happy logging with Graylog. Have a great day.