Callbacks¶
Callbacks are a key part of the Threat Patrols Actions framework since they make it possible to emit results from an Action to other systems and processes.
Callbacks are defined in the callbacks section of an Action YAML formated configuration file.
threatpatrols¶
Example threatpatrols callback configuration.
- Notice the ability to use environment variable values using
${}variable name notation.
http¶
Example http callback configurations.
- Notice the ability to use tag values by referencing them as per
{tag.action_name}all Action responses automatically-created tags and user-defined tags that can be referenced here.
http:
http01example:
method: POST
url: "https://httpbin.org/anything/test-example-post"
headers:
Authentication: "Bearer ${TPASDEV_FAUX_BEARER_TOKEN}"
verify: false
send: summary
http02example:
method: GET
url: "https://httpbin.org/anything/test-example-get/?action-name={tag.action_name}&call-id={tag.call_id}"
s3put¶
Example s3put callback configurations.
- Notice the special
call_id_prefixthat represents the year-month-day (in YYYYMMDD format) of thecall_idvalue. - Notice the various send types
summarysummary data from the Actionoutputoutput from the Actioninputinput value that went into the Actioncontent_b64decodebinary output from the Action base64 decoded from content.
s3put:
s3put01example:
url: "s3://customer-bucket/testing/{tag.action_name}/{tag.call_id_prefix}/{tag.call_id}.summary"
send: summary
s3put02example:
url: "s3://other-customer-bucket/testing/{tag.action_name}/{tag.call_id_prefix}/{tag.call_id}.out"
send: output
s3put03example:
url: "s3://${TPASDEV_S3PUT_BUCKET}/testing/{tag.action_name}/{tag.call_id_prefix}/{tag.call_id}.in"
send: input
s3put04example:
url: "s3://${TPASDEV_S3PUT_BUCKET}/testing/{tag.action_name}/{tag.call_id_prefix}/{tag.call_id}.content"
send: content_b64decode
slack¶
Example slack callback configurations
- Notice the use of send
content_b64decodethat sends a binary file/image/etc to the Slack channel with a message.
slack:
slack01example: # send content_b64decode
token: "${TPASDEV_SLACK_BOT_TOKEN}"
channel: "${TPASDEV_SLACK_CHANNEL}"
message: |
*{tag.action_title}*
- *url*: `{url}`
- *status_code*: {status_code}
- *nodename*: {tag.platform_node}
- *call_id*: {tag.call_id}
- *task_id*: {tag.task_id}
send: content_b64decode
slack02example: # send summary
token: "${TPASDEV_SLACK_BOT_TOKEN}"
channel: "${TPASDEV_SLACK_CHANNEL}"
message: |
*{tag.action_title}*
- *url*: `{url}`
- *status_code*: {status_code}
- *nodename*: {tag.platform_node}
- *call_id*: {tag.call_id}
- *task_id*: {tag.task_id}
send: summary
smtp¶
Example smtp callback configurations
- Notice the use of send
content_b64decodethat attaches a binary file/image/etc to the email to be sent.
smtp:
smtp01example: # send content_b64decode
smtp_host: "${TPASDEV_SMTP_HOST}"
smtp_port: "${TPASDEV_SMTP_PORT}"
smtp_user: "${TPASDEV_SMTP_USER}"
smtp_pass: "${TPASDEV_SMTP_PASS}"
email_to: "${TPASDEV_SMTP_EMAIL_TO}"
email_from: "{tag.action_title} Testing <user@testing.null>"
email_subject: "{tag.action_name} | call: {tag.call_id}"
email_text: |
{tag.action_title}
- url: {url}
- status_code: {status_code}
- nodename: {tag.platform_node}
- call_id: {tag.call_id}
- task_id: {tag.task_id}
send: content_b64decode
smtp02example: # send summary
smtp_host: "${TPASDEV_SMTP_HOST}"
smtp_port: "${TPASDEV_SMTP_PORT}"
smtp_user: "${TPASDEV_SMTP_USER}"
smtp_pass: "${TPASDEV_SMTP_PASS}"
email_to: "${TPASDEV_SMTP_EMAIL_TO}"
email_from: "{tag.action_title} Testing <user@testing.null>"
email_subject: "{tag.action_name} | call: {tag.call_id}"
email_text: |
{tag.action_title}
- url: {url}
- status_code: {status_code}
- nodename: {tag.platform_node}
- call_id: {tag.call_id}
- task_id: {tag.task_id}
send: summary