-
-
Save scudette/3a32abd19350c8fe3368661c4278869d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Slack.User | |
description: | | |
This artifact watches for new client enrolments and examines the user listing | |
on new endpoints. When a username matches a regex, we send a message to slack. | |
type: SERVER_EVENT | |
parameters: | |
- name: SlackToken | |
default: https://hooks.slack.com/services/XXXX/YYYY | |
- name: NameRegex | |
description: Users that match this regex will trigger the message. | |
default: mike | |
sources: | |
- query: | | |
LET flow_info = SELECT timestamp(epoch=Timestamp) AS Timestamp, | |
client_info(client_id=ClientId).os_info.fqdn AS FQDN, | |
ClientId, FlowId | |
FROM watch_monitoring(artifact="System.Flow.Completion") | |
WHERE Flow.artifacts_with_results =~ "Generic.Client.Info/Users" | |
LET hits = SELECT * FROM foreach(row=flow_info, | |
query={ | |
SELECT *, Timestamp, FQDN, ClientId | |
FROM source(artifact="Generic.Client.Info/Users", | |
client_id=ClientId, flow_id=FlowId) | |
WHERE Name =~ NameRegex | |
}) | |
SELECT * FROM foreach(row=hits, | |
query={ | |
SELECT * FROM http_client( | |
data=serialize(item=dict( | |
text=format(format="Client ID %v (%v) has user %v", | |
args=[ClientId, FQDN, Name]) | |
), format="json"), | |
headers=dict(`Content-Type`="application/json"), | |
method="POST", | |
url=SlackToken) | |
}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment