TITB is a fork from Threat Intelligence Discord Bot from vx-underground but for Microsoft Teams and modified to work as an hourly Github-Action
The vx-underground Threat Intelligence Discord Bot gets updates from various clearnet domains, ransomware threat actor domains This bot will check for updates in intervals of 1800 seconds.
-
Written in Python
β οΈ required version Python 3.10+ -
Requires Teams Webhook
Threat Intelligence Teams Bot gets updates from various clearnet domains and ransomware threat actor domains.
This bot will check for updates hourly.
The change I've made :
- GitHub-Action : see the fetchCTI.yml file.
- Feeds List is externalized from the source code to the file Feed.csv
- Use JSON lib to get ransomware attacks list from Ransomwatch
- Add an emoji in front of the MS Teams Card related to some sources
- Use only one MS Teams Channel
- Refactoring with best practices
- No need to add any entry in Config.txt (automaticaly add)
- Check that python 3.10+ is present (needed for some functions)
- Add a requirements.txt
- Add a feedCheck.py script to check the health of the feed from Feed.csv file
- Add Options for command line usage
- Check if a new version is available
I've decided to remove the TelegramBot because it was not relevant for my needs.
Clone the repository or download the latest release
git clone https://github.com/JMousqueton/CTI-MSTeams-Bot
Install all the modules in requirements.txt
pip3 install -r requirements.txt
- Create a MS-Teams WebHook
- in an environment you will called
CI, paste the created webhook url in aMSTEAMS_WEBHOOKvariable.
- Create a variable called
MSTEAMS_WEBHOOKwith the webhook URL - Schedule the script for example every hours via the crontab
Example
MSTEAMS_WEBHOOK=https://mousqueton.webhook.office.com/webhookb2/08589F1C-EEA2-4C92-A08B-66E59692FDE3/IncomingWebhook/3DEFFDD9-F3A8-4351-BDA7-142FAFB7473A
python3 TeamIntelBot.py
Note: the IDs have been generated with uuidgen for example purpose π
python3 TeamsIntelBot.py -h
Usage: TeamsIntelBot.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-q, --quiet Quiet mode
-D, --debug Debug mode : only output on screen nothing send to MS Teams
I've also add a script called checkFeed.py to check if feeds are valids and what is the last published date. This script read the Feed.csvfile.
python3 checkFeed.py
β
Modexp (Sun, 31 Jul 2022 00:01:53 +0000)
β
James Forshaw (2022-07-16T21:49:00.000-07:00)
β
Adam Chester (Sat, 09 Jul 2022 23:00:00 GMT)
β
Microsoft Security (Thu, 11 Aug 2022 16:00:00 +0000)
β
Recorded Future (Thu, 18 Aug 2022 00:00:00 GMT)
β
SentinelOne (Wed, 11 May 2022 14:56:53 +0000)
β
RedCanary (Thu, 18 Aug 2022 21:53:55 +0000)
β
Cyber-News (Fri, 19 Aug 2022 15:14:56 +0000)
β
Leak-Lookup (Fri, 19 Aug 2022 04:00:02 +0200)
β
ATT (2022-08-17T10:00:00+00:00)
β
US-CERT CISA (Tue, 16 Aug 2022 15:38:42 +0000)
β
NCSC (Thu, 18 Aug 2022 23:00:00 GMT)
β
Center of Internet Security (Thu, 18 Aug 2022 01:43:07 -0400)
β
FR-CERT Alertes (Tue, 31 May 2022 11:12:01 +0000)
β
FR-CERT Avis (Fri, 19 Aug 2022 11:22:29 +0000)
β
EU-ENISA Publications (2022-07-27T10:00:00Z)
β
Microsoft Sentinel (Thu, 18 Aug 2022 08:31:51 PDT)
All monitored RSS feeds are in Feed.csv file. To add a new RSS feed simply append a new entry. e.g.
In the Feed.csv file :
https://grahamcluley.com/feed/,Graham Cluley
https://1337WebsiteIWannaFollow.com/feed/,1337Website
I've added the following sources :
- π«π· FR-CERT Avis (aka ANSSI) : notifications from gov French CERT
- π«π· FR-CERT Alertes (aka ANSSI) : Alerts from gov French CERT
- Leak-lookup : Leak notification
- Cyber-News
- ATT CyberSecurity Blog
- πͺπΊ ENSIA Publications
- NCC Group
- Microsoft Sentinel
- SANS
This was made by smelly__vx over a slow and boring weekend. We hope it provides some value to your channel and/or organization.
Thanks to my fellow students from π΄ββ οΈ Ecole 2600 for the support and advice during nights π