Spyderbat notifications allow analysts and operators to get notified on specific activities within their Linux runtime environment, whether this is an individual “flag” or broader security context identified by Spyderbat, or general system activity on and between systems, such as a specific user logging in, interesting outbound connection activity and many others.
Any dashboard card can be configured to forward notifications, and any search query can be used to create a dashboard card, providing a lot of flexibility for customization.
First, you will need to be an admin to set up and configure notifications. If you navigate to the “Admin” section of the product on the left-hand side navigation, you’ll find a “Notifications” tab where you can configure a notification “endpoint”.
A notification endpoint is an Amazon Simple Notification Service (SNS) topic set up in your own AWS account. Dashboard cards can then forward notifications to this endpoint/SNS topic where you have a number of flexible options on where to route those notifications. For example, SNS allows you to create subscriptions to a topic to forward a notification as an email, SMS, or to other AWS services including AWS Lambda to configure a custom action for example.
See our previously posted step by step guide for configuring an SNS topic in your AWS account You can also find this linked in the Spyderbat Admin Notifications UI.
This below image presents a previously configured topic and one subscription, sending notifications as a JSON object to a particular email address.
Once you have configured your SNS topic and subscription and configured the endpoint in Spyderbat – you can send a test notification to the endpoint by hitting the “send test” button next to the endpoint – you may also configure multiple notification endpoints. Here’s the email with the JSON formatted content we received from our test message.
Once your notification endpoint is configured and tested – you can start to set up which dashboard cards you want to send notifications to it. If we navigate to our dashboard – let’s configure it to send notifications for our high priority flags detected by Spyderbat – you’ll need to be an admin to bind a dashboard card to a notification endpoint. We see there’s a line through the notification symbol for this card, telling us this card currently has no notifications configured.
If we click on the notification symbol, we see our notification endpoint in here, and we can select the time window over which we will receive new notifications – let’s select 5 mins to get notified of all appropriate flags that show up over the most recent five-minute window.
We can see that the notification symbol went active to tell us this card is forwarding notifications. We can also get a summary across cards by selecting the “customize dashboard” option in the top right to see which cards are configured to forward notifications.
That’s a quick tour of setting up and configuring notifications in Spyderbat – happy tracing!