Sending notifications to Telegram

This integration is an example and may require additional configuration depending on the versions used and the specifics of the infrastructure.
The terms and conditions of premium technical support do not apply to this integration; support requests are processed without a guaranteed response time.

You can configure sending notifications to Telegram when KUMA correlation rules are triggered. This can reduce the response time to threats and, if necessary, make more persons informed.

Configure Telegram notifications involves the following steps:

1. Creating and configuring a Telegram bot

   A special bot sends notifications about triggered correlation rules. It can send notifications to a private or group Telegram chat.

2. Creating a script for sending notifications

   You must create a script and save it on the server where the correlator is installed.

3. Configuring notifications in KUMA

   Configure a KUMA response rule that starts a script to send notifications and add this rule to the correlator.

Creating and configuring a Telegram bot

To create and configure a Telegram bot:

1. In the Telegram application, find the BotFather bot and open a chat with it.
2. In the chat, click Start.
3. Create a new bot using the following command:

   /newbot

4. Enter the name of the bot.
5. Enter the login name of the bot.

   The bot is created. You receive a link to the chat that looks like t.me/<bot login> and a token for contacting the bot.

6. If you want to use the bot in a group chat, and not in private messages, edit privacy settings:
   1. In the BotFather chat, enter the command:

      /mybots

   2. Select the relevant bot from the list.
   3. Click Bot Settings → Group Privacy and select Turn off.

      The bot can now send messages to group chats.

7. To open a chat with the bot you created, use the t.me/<botlogin> link that you obtained at step 5, and click Start.
8. If you want the bot to send private messages to the user:
   1. In the chat with the bot, send any message.
   2. Follow the https://t.me/getmyid_bot link and click Start.
   3. The response contains the Current chat ID. You need this value to configure the sending of messages.
9. If you want the bot to send messages to the group chat:
   1. Add https://t.me/getmyid_bot to the group chat for receiving notifications from KUMA.

      The bot sends a message to the group chat, the message contains the Current chat ID value. You need this value to configure the sending of messages.

   2. Remove the bot from the group.
10. Send a test message through the bot. To do so, paste the following link into the address bar of your browser:

    https://api.telegram.org/bot<token>/sendMessage?chat_id=<chat_id>&text=test

    where <token> is the value obtained at step 5, and <chat_id> is the value obtained at step 8 or 9.

As a result, a test message should appear in the personal or group chat, and the JSON in the browser response should be free of errors.

Creating a script for sending notifications

To create a script:

1. In the console of the server on which the correlator is installed, create a script file and add the following lines to it:

   #!/bin/bash

   set -eu

   CHAT_ID=<Current chat ID value obtained at step 8 or 9 of the Telegram bot setup instructions>

   TG_TOKEN=<token value obtained at step 5 of the Telegram bot setup instructions>

   RULE=$1

   TEXT="<b>$RULE</b> rule triggered."

   curl --data-urlencode "chat_id=$CHAT_ID" --data-urlencode "text=$TEXT" --data-urlencode "parse_mode=HTML" https://api.telegram.org/bot$TG_TOKEN/sendMessage

   If the correlator server does not have Internet access, you can use a proxy server:

   #!/bin/bash

   set -eu

   CHAT_ID=<Current chat ID value obtained at step 8 or 9 of the Telegram bot setup instructions>

   TG_TOKEN=<token value obtained at step 5 of the Telegram bot setup instructions>

   RULE=$1

   TEXT="<b>$RULE</b> rule triggered."

   PROXY=<address and port of the proxy server>

   curl --proxy $PROXY --data-urlencode "chat_id=$CHAT_ID" --data-urlencode "text=$TEXT" --data-urlencode "parse_mode=HTML" https://api.telegram.org/bot$TG_TOKEN/sendMessage

2. Save the script to the correlator directory at /opt/kaspersky/kuma/correlator/<ID of the correlator that must respond to events>/scripts/.

   For information about obtaining the correlator ID, see the Getting service identifier section.

3. Make the 'kuma' user the owner of the file and grant execution rights:

   chown kuma:kuma /opt/kaspersky/kuma/correlator/<ID of the correlator that must respond>/scripts/<script name>.sh

   chmod +x /opt/kaspersky/kuma/correlator/<ID of the correlator that must respond>/scripts/<script name>.sh

Configuring notifications in KUMA

To configure the sending of KUMA notifications to Telegram:

1. Create a response rule:
   1. In the KUMA Console, select the Resources → Response rules section and click Add response rule.
   2. This opens the Create response rule window; in that window, in the Name field, enter the name of the rule.
   3. In the Tenant drop-down list, select the tenant that owns the resource.
   4. In the Type drop-down list, select Run script.
   5. In the Script name field, enter the name of the script.
   6. In the Script arguments field, enter {{.Name}}.

      This passes the name of the correlation event as the argument of the script.

   7. Click Save.
2. Add the response rule to the correlator:
   1. In the Resources → Correlators section, select the correlator in whose folder you placed the created script for sending notifications.
   2. In the steps tree, select Response rules.
   3. Click Add.
   4. In the Response rule drop-down list, select the rule added at step 1 of these instructions.
   5. In the steps tree, select Setup validation.
   6. Click the Save and restart services button.
   7. Click the Save button.

Sending notifications about triggered KUMA rules to Telegram is configured.