https://github.com/chainguard-dev/kolide-pipeline-bot
Generate Slack notifications from Kolide pipelines
https://github.com/chainguard-dev/kolide-pipeline-bot
Last synced: about 1 year ago
JSON representation
Generate Slack notifications from Kolide pipelines
- Host: GitHub
- URL: https://github.com/chainguard-dev/kolide-pipeline-bot
- Owner: chainguard-dev
- License: apache-2.0
- Created: 2022-08-31T19:35:47.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2025-03-13T02:14:37.000Z (over 1 year ago)
- Last Synced: 2025-03-22T00:05:26.258Z (over 1 year ago)
- Language: Go
- Homepage:
- Size: 182 KB
- Stars: 2
- Watchers: 2
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# kolide-pipeline-bot
Send notifications from osquery differential logs uploaded to GCP storage by Kolide
## Features
* Support for Kolide differential logs
* Rich Slack notifications
* VirusTotal annotation
* Google Cloud Storage
* CLI and HTTP server modes
* Duplicate event suppression
* Threading of related events
## Usage
Compile:
```shell
go build .
```
Setup your local credentials:
```shell
gcloud auth application-default login
```
Inspect output without sending notifications:
```shell
kolide-pipeline-bot \
--bucket=your-kolide-logs \
--prefix=kolide/results/threat_hunting \
--max-age=8h
```
To send notifications, set a SLACK_ACCESS_TOKEN to a Bot User OAuth Token for your Workspace, which typically starts with `xoxb-`.
## Webserver mode
This will run a web server, that will scan the bucket every time `/refreshz` is hit, as well as send notifications:
```shell
kolide-pipeline-bot \
--bucket=your-osquery-logs \
--prefix=kolide/results/threat_hunting \
--serve
```
This allows the kolide-pipeline-bot to be run in environments that assume an HTTP frontend, such as Google Cloud Run. You can then use a scheduler service to hit `/refreshz` as often as you want to poll for results.
## Environment Variables
For your deployment, you may find it more useful to use environment variables than arguments. The `kolide-pipeline-bot` supports a handful of them:
* `PORT`
* `BUCKET_NAME`
* `BUCKET_PREFIX`
* `SLACK_ACCESS_TOKEN`
* `VIRUSTOTAL_KEY`
## Google Cloud Run
Using `ko`, it is easy to build `kolide-pipeline-notifier` to your local repo and deploy it straight into production:
```shell
export KO_DOCKER_REPO="gcr.io//pipeline-notifier"
gcloud run deploy pipeline-notifier \
--image="$(ko publish .)" \
--args=-serve \
--region us-central1 \
--project ""
```
You can see an example automated deployment in `./hacks/deploy-cloud-run.sh`