What is Auth0 Signals Slack Bot?
The Signals Slack Bot is a new tool built on top of the Signals API for Cybersecurity Professionals, SecOps, analysts, and forensics teams willing to use the bot to get the most of the API without having to write a single line of code. With this tool, they can perform risk assessment tasks in IP datasets and Email addresses and share the results right away with their colleagues in the public and private Slack channels. The bot offers a quick and simple interface to the advanced Email Verification and IP Reputation features of the API combined with some interactive features to drill down on the data.
Signals Slack Bot installation can be launched from the main Auth0 Signals page or the Slack Directory. Keep in mind to enable the bot first to create a valid Auth0 Signals account. Please read the article about how to do it first.
There are three different sections on the Home page:
- the one at the top shows the list of available commands. Each of these commands map to a specific feature of the Signals API.
- The second section shows information about the API Key configured. Clicking on the Add/Change API Key button, a user can change the API Key.
- The third section is the daily quota of the account, showing the number of requests consumed daily and a countdown until the next restart (The quota command also shows this information at any time).
Once installed the user should not forget to add the API Key obtained after signing up in Auth0 Signals on the Home page of the SignalsBot App.
Testing the app
To perform a quick test and check that everything is running fine, click on the Messages tab at the right-hand side of Home and execute the
ip (lowercase) command with a public IP address:
Invite the bot to a channel
Since the Slack Signals Bot is an App, any user can invite by referencing it in the channel. All the information the bot returns will be available to all team members of a public or private channel.
Any user in the channel can use the bot just by preceding the bot commands with the name of the Auth0 Signals Slack Bot App:
@SignalsBot ip AAA.BBB.CCC.DDD
To obtain the risk score of an IP address, the Slack Signals Bot App has the command
ip IP_ADDRESS. This command performs several checks with the IP address given, returning several individual scores per each test, and a global score to summarize them all. It also returns detailed information about the IP address from different sources. An article in our community site details how the algorithm works and the data returned.
email EMAIL_ADDRESS calculates the global risk score based on several tests performed that returns individual score per each test. These checks are summarized and returned as a global score for the Email addresses. It also retrieves information that can help the SecOps teams better understand the user’s profile behind the email address. An article in our community site details how the algorithm works and the data returned.
Blacklist catalog and details
To display the full list of datasets the command available is
blacklists. It will let the user choose the catalogs to display: IP addresses, domains, or emails. It is possible to display more details about the blocklists clicking on the button with the name of the dataset. For example, TOR:
Bulk analysis of source IP addresses
The Signals Slack Bot can process large files with thousands of source IP addresses and determine risk in larger datasets. The Comma-Separated-Value format supported is:
IP_ADDRESS_1[,NUMBER_OF_REQUESTS_1] IP_ADDRESS_2[,NUMBER_OF_REQUESTS_2] IP_ADDRESS_3[,NUMBER_OF_REQUESTS_3] ... IP_ADDRESS_n[,NUMBER_OF_REQUESTS_n]
To upload the file in Slack and add the SignalsBot App user permissions to read the file.
To process a CSV file of IP addresses to obtain a report of threats the user has to use the command
process NAME_OF_THE_ FILE. In a few seconds the bot will return the ID of the report and direct access clicking the button Check report availability.
The first page of the report will display a summary of the number of the total requests made, the unique IP addresses and the requests and IP addresses found in Signals blocklist databases:
The different subreports are focused on different views of the data:
- By risk.
- By blacklist name
- By taxonomies
- By countries
- By AS
The reports are stored in the backend service of Auth0 Signals. To list the existing reports use the command
reports. Clicking on the selected report will show it at any time. If the user knows the IP of the report, it can bypass this step using the command
report REPORT_IDto show the report.