{"id":24118021,"url":"https://github.com/digital-defense-institute/nims-webhook","last_synced_at":"2025-09-18T06:32:51.268Z","repository":{"id":271486778,"uuid":"912212464","full_name":"Digital-Defense-Institute/nims-webhook","owner":"Digital-Defense-Institute","description":"Supporting middleware for NIMS (Notion Incident Management System) ","archived":false,"fork":false,"pushed_at":"2025-01-08T04:36:37.000Z","size":1198,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-11T04:50:08.454Z","etag":null,"topics":["dfir","incident-management","incident-response","infosec","notion","secops"],"latest_commit_sha":null,"homepage":"https://nims-template.notion.site","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Digital-Defense-Institute.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-04T23:22:59.000Z","updated_at":"2025-01-08T20:41:34.000Z","dependencies_parsed_at":"2025-01-08T04:26:01.331Z","dependency_job_id":"c58a3e0b-d5ce-4cf9-96f8-71dfdb433925","html_url":"https://github.com/Digital-Defense-Institute/nims-webhook","commit_stats":null,"previous_names":["shortstack/nims-webhook","digital-defense-institute/nims-webhook"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Digital-Defense-Institute%2Fnims-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Digital-Defense-Institute%2Fnims-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Digital-Defense-Institute%2Fnims-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Digital-Defense-Institute%2Fnims-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Digital-Defense-Institute","download_url":"https://codeload.github.com/Digital-Defense-Institute/nims-webhook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233456079,"owners_count":18678968,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","incident-management","incident-response","infosec","notion","secops"],"created_at":"2025-01-11T08:17:21.599Z","updated_at":"2025-09-18T06:32:51.242Z","avatar_url":"https://github.com/Digital-Defense-Institute.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NIMS (Notion Incident Management System) Webhook\n\nThis is an all-in-one binary that will catch detections sent via webhook to `/hooks/alert:9000` and create alerts in your [NIMS alerts database](https://nims-template.notion.site/).\n\n## To build \nInstall Go\n```bash\nsudo apt update\nsudo apt -y install golang-go\n```\nBuild the binary\n```bash\ncd nims-webhook\ngo mod init nims-webhook\ngo mod tidy\ngo build nims-webhook.go\n```\n\n## To run\nEither build the binary (steps above) if you wish to make modifications, or download it from [the releases page](https://github.com/shortstack/nims-webhook/releases) and run it.  \n\nFirst, replace Notion auth token and database IDs with yours in `.env`.\n\nYou can generate and configure your auth token by following the steps in [NOTION.md](./NOTION.md).\n\nThis binary will purge alerts not associated with an incident and older than `NOTION_ALERT_AGE` (in days) automatically if `AUTO_PURGE_ALERTS` is set to `true`.\n```bash\nNIMS_ASSETS_DATABASE_ID=\nNIMS_ALERTS_DATABASE_ID=\nNOTION_AUTH_TOKEN=\nNOTION_ALERT_AGE=30\nAUTO_PURGE_ALERTS=false\n```\nRun the binary\n```bash\nchmod +x nims-webhook\n./nims-webhook\n```\n\n## Fields\nThe following fields are currently utilized:\n* `routing.hostname` - the hostname of the affected host\n* `routing.int_ip` - the internal IP address of the affected host\n* `routing.event_time` - the timestamp of the detection event\n* `detect` - the full event details captured during detection\n* `detect_mtd` - metadata associated with the detection\n* `link` - the URL linking directly to the alert within LimaCharlie\n* `cat` - the name or category of the alert  \n\nTo customize these fields or replace them with others from your JSON objects, you can edit the `nims-webhook.go` file, specifically in the `webhookHandler` function.\n\nSimilarly, if you wish to modify fields in your Notion template and integrate those changes into the script, updates can be applied in both the `webhookHandler` and `addAlert` functions.\n\n## Example request \n```bash\ncurl -X POST http://0.0.0.0:9000/hooks/alert \\\n-H \"Content-Type: application/json\" \\\n-d '{\n  \"author\": \"_soteria-rules-edr-123abc45-678d-901e-fghi-234567jklmno[bulk][segment]\",\n  \"cat\": \"00456-WIN-mshta_Network_Connection_to_External_IP\",\n  \"detect\": {\n    \"event\": {\n      \"COMMAND_LINE\": \"C:\\\\Windows\\\\System32\\\\mshta.exe\",\n      \"CREATION_TIME\": 1736019135814,\n      \"FILE_IS_SIGNED\": 1,\n      \"FILE_PATH\": \"C:\\\\Windows\\\\System32\\\\mshta.exe\",\n      \"HASH\": \"a1234567b89cd012ef34gh567ijklmn8901234567abcdef890123456789abcdef\",\n      \"NETWORK_ACTIVITY\": [\n        {\n          \"DESTINATION\": {\n            \"IP_ADDRESS\": \"192.168.15.23\",\n            \"PORT\": 443\n          },\n          \"IS_OUTGOING\": 1,\n          \"PROTOCOL\": \"tcp4\",\n          \"SOURCE\": {\n            \"IP_ADDRESS\": \"172.16.10.45\",\n            \"PORT\": 60432\n          },\n          \"STATE\": 8,\n          \"TIMESTAMP\": 1736019210633\n        }\n      ],\n      \"PARENT_PROCESS_ID\": 1052,\n      \"PROCESS_ID\": 2032,\n      \"USER_NAME\": \"CORP\\\\AdminUser\"\n    },\n    \"routing\": {\n      \"arch\": 2,\n      \"did\": \"\",\n      \"event_id\": \"4a3b2c1d-e5f6-47g8-h9ij-k123lmnopq45\",\n      \"event_time\": 1736019224486,\n      \"event_type\": \"NETWORK_CONNECTIONS\",\n      \"ext_ip\": \"203.0.113.45\",\n      \"hostname\": \"corporate-webserver.corp.internal\",\n      \"iid\": \"f12g34h5-i6jk-78lm-90no-pq12rstuv345\",\n      \"int_ip\": \"172.16.10.45\",\n      \"moduleid\": 3,\n      \"oid\": \"5678abcd-910e-11fg-hijk-123456lmnopq\",\n      \"parent\": \"abcd1234ef567gh8910ijklm234nopqr\",\n      \"plat\": 268435456,\n      \"sid\": \"789abcd1-2345-6789-0efg-hijklm123nop\",\n      \"tags\": [\n        \"windows\",\n        \"suspicious_execution\"\n      ],\n      \"this\": \"123abc456def789ghi012jkl345mnop678\"\n    }\n  },\n  \"detect_id\": \"abcdef12-3456-789a-0bc1-defghijklmno\",\n  \"detect_mtd\": {\n    \"description\": \"MSHTA is a legitimate tool used to execute HTML applications. It can be abused by attackers to download and execute malicious scripts. This detector identifies mshta.exe making external network connections, which is indicative of potential malicious activity.\",\n    \"falsepositives\": [\n      \"Legitimate administrative use of mshta.exe in secure environments.\"\n    ],\n    \"references\": [\n      \"https://lolbas-project.github.io/lolbas/Binaries/Mshta/\",\n      \"https://attack.mitre.org/techniques/T1218/005/\",\n      \"https://redcanary.com/threat-detection-report/techniques/mshta/\"\n    ],\n    \"tags\": [\n      \"attack.t1218.005\",\n      \"attack.t1071.001\",\n      \"attack.t1105\"\n    ]\n  },\n  \"gen_time\": 1736019224489,\n  \"link\": \"https://app.limacharlie.io/orgs/5678abcd-910e-11fg-hijk-123456lmnopq/sensors/789abcd1-2345-6789-0efg-hijklm123nop/timeline?time=1736019224\u0026selected=123abc456def789ghi012jkl345mnop678\",\n  \"namespace\": \"general\",\n  \"priority\": 2,\n  \"routing\": {\n    \"arch\": 2,\n    \"did\": \"\",\n    \"event_id\": \"4a3b2c1d-e5f6-47g8-h9ij-k123lmnopq45\",\n    \"event_time\": 1736019224486,\n    \"event_type\": \"NETWORK_CONNECTIONS\",\n    \"ext_ip\": \"203.0.113.45\",\n    \"hostname\": \"corporate-webserver.corp.internal\",\n    \"iid\": \"f12g34h5-i6jk-78lm-90no-pq12rstuv345\",\n    \"int_ip\": \"172.16.10.45\",\n    \"moduleid\": 3,\n    \"oid\": \"5678abcd-910e-11fg-hijk-123456lmnopq\",\n    \"parent\": \"abcd1234ef567gh8910ijklm234nopqr\",\n    \"plat\": 268435456,\n    \"sid\": \"789abcd1-2345-6789-0efg-hijklm123nop\",\n    \"tags\": [\n      \"windows\",\n      \"suspicious_execution\"\n    ],\n    \"this\": \"123abc456def789ghi012jkl345mnop678\"\n  },\n  \"source\": \"5678abcd-910e-11fg-hijk-123456lmnopq.f12g34h5-i6jk-78lm-90no-pq12rstuv345.789abcd1-2345-6789-0efg-hijklm123nop.10000000.3\",\n  \"source_rule\": \"service.WIN-mshta_Network_Connection_to_External_IP\",\n  \"ts\": 1736019224000\n}'\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigital-defense-institute%2Fnims-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdigital-defense-institute%2Fnims-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdigital-defense-institute%2Fnims-webhook/lists"}