Send Alerts To Email & Telegram Bot

Token_URL: https://fragrant-nest-1863.tines.com/webhook/fbb79522d7a1ba2e2b3a345b8c86d2b0/ffdad141d67daea9ffd1548e6b4d41ec

Alerts_URL: https://fragrant-nest-1863.tines.com/webhook/4d51fa1a38d6f1e47812dad492986b4c/b4df1eff24bdeb354f3f76251fd2bc4e

Username: test

Password: 1234

Task:

1. Retrieve an authentication token from Token_URL.

2. Use the obtained token to fetch alerts from Alerts_URL.

3. Extract the source IP addresses from the alerts.

4. Check each IP address against VirusTotal for potential threats.

5. If an IP is flagged as malicious, send a notification to both a Telegram bot and your email.

We will begin by sending an HTTP Request to the Token_URL to obtain a token.

We need to provide the username and password to obtain the token.

Now that we have obtained the token, we can proceed with retrieving the alerts. To do this, we need to send another HTTP request to Alerts_URL, using the token acquired from the previous request.

Now that we have received the alerts, I want to isolate each alert individually to extract the source IP addresses separately. This will allow me to take further actions based on these source IPs.

I utilized Explode mode to separate each alert individually.

Next, we will add another Event Transform to extract the source IP from each alert.

Now that we have identified the source IPs, the next step is to analyze them using VirusTotal. Let's proceed with the investigation.

I sent three requests to VirusTotal for each IP address using the following URL: https://www.virustotal.com/api/v3/ip_addresses/{ip}. The requests were authenticated with an API key obtained from our VirusTotal account.

Next, let's verify whether the IP address is indeed malicious, as indicated by VirusTotal.

I extracted the IP address and the number of security vendors that flagged it as malicious from the VirusTotal results.

Now, let's trigger the event if the malicious value is greater than 0. We will store this value in the Event Transform for further actions.

We have identified two malicious IP addresses. To enhance our incident response, we will develop a Telegram bot to send these IPs as alerts. Additionally, we will forward the same IPs via email for further monitoring and documentation.

To create a Telegram boot:

• Open Telegram and search for @BotFather.

• Type /newbot and follow the instructions to create a bot.

• Save the bot token you receive

• To get your Chat ID, open Telegram and search for @userinfobot.

• Type /start, and it will show your Chat ID

And for the email.