Instant Internal Auditing with PXM, SIEM and Slack

Andy Harris

Instant Internal Auditing
For many organisations, Slack has become the central core of communications, not only between people but between processes and people.
At Osirium, our development teams have their continuous integration and continuous delivery systems connected to Slack, so they can see the status of every build. The technical support team know when new release candidates are ready – and what Jira tickets they address.
Against this background, it makes sense that our PxM Platform (Privileged Access Management), PPA (Privileged Process Automation), and PEM (Privileged Endpoint Management) platforms should use the same notification mechanism.
All our products generate ‘Common Event Format‘ (CEF) Syslog messages. These are processed by our Security Incident and Endpoint Management (SIEM) system and the important messages are notified to Slack. Here’s Gemma, part of Osirium’s Support team, showing how this all fits together:
At Osirium, we use the Elastic Stack, but we could easily use LogRhythm, ArcSight, Splunk or LogPoint since all these have API notifications to Slack.
Notifications are one of Slack’s most useful features. Notifications are intelligent in that they go to where Slack knows you are. For example, if you’re on Slack web, but not looking at it, your notifications can go to Slack Mobile where they pop-up on your phone’s home page.
Instant Internal Auditing
Each of us gets used to normal notifications, we scan them for what is relevant to us. So we’re attuned to when people are touching systems we care about. It means we get used to what people do around us, and when they do something unusual we notice. We’ve dubbed this Instant Internal Auditing. When everyone knows what is going on they know when to shout and when to wonder. This means that systems keep running longer and people are naturally deterred from poking around where they shouldn’t.
Here’s the overall architecture

You can see exactly how we’ve done this as we’ve made our redacted Slack Action file available on GitHub. In essence, the SIEM uses Webhooks to securely send and direct notifications to the selected channels. Slack users can then define keywords on a per-channel basis to decide which notifications are relevant to them.
As always if you’d like to know more about any of our products and how they play well in process and infrastructure applications – please get in touch.