Cylance Cybot

By Adrian | September 27, 2020

Recently I attended a webinar in which the presenter from Blackberry Cylance was talking about this tool that they created called Cybot. This tool is a chatbot designed for SOCs to hopefully speed up triagae its offerings. Turns out Cybot is a pretty nifty tool and has integrations to various chat platforms like Slack and Microsoft Teams.

Installation Steps

There are a number of prereqs required to stand up this app. For this installation, I will install it into a Python virtual environment as per the installation guide. I am just using a stock VM, with Python 3 installed to do this.

Install errbot

If you do not have the virtualenv package installed you can install it with the following command:

sudo apt install -qy virtualenv

Setup the virtual environment with the following commands.

virtualenv --python `which python3` ~/.errbot-ve
source ~/.errbot-ve/bin/activate
~/.errbot-ve/bin/pip install errbot

Configure errbot

With the installation complete, configure errbot with the following commands.

mkdir ~/errbot-root
cd ~/errbot-root

Once you run errbot, you can now interact with it.

 You start as a bot admin in a one-on-one conversation with the bot.

    Context of the chat

• Use !inroom to switch to a room conversation.
• Use !inperson to switch back to a one-on-one conversation.
• Use !asuser to talk as a normal user.
• Use !asadmin to switch back as a bot admin.


• Use !ml to flip on/off the multiline mode (Enter twice at the end to send).

[@CHANGE_ME ➡ @errbot] >>>

As a test, you should be able to run the following commands.


You can kill off errbot by using:

!shutdown --confirm

Setup Cybot with Slack

To install Errbot with Slack integration use the following command. This is done inside of the python virtual environment.

sudo ~/.errbot-ve/bin/pip install errbot[slack]

Setup Slack Bot account

With Errbot installed and the inital configuration completed, now is the time to create an app integration with Slack.

Browse to and enter in a botname, and press Add bot integration. I have called mine cybot. Very original, I know.


Take a note of the API Token (and dont share that with anyone) on the next page and complete any additional customisations such as image, full name etc. Press Save Integration.

Make configuration changes to Errbot

Make the following changes to the ~/errbot-root/ file. Update the items in <> with what is approprate for your installation.

import logging

BACKEND = 'Slack'  # Errbot will start in text mode (console only mode) and will answer commands from there.

BOT_DATA_DIR = r'/home/<USER>/errbot-root/data'
BOT_EXTRA_PLUGIN_DIR = r'/home/<USER>/errbot-root/CyBot/plugins'

BOT_LOG_FILE = r'/home/<USER>/errbot-root/errbot.log'


        'token' : '<YOUR SLACK APP API KEY>',


ACCESS_CONTROLS = {'private_plugin': {'allowprivate': ('#protected_room',)},
                        'uptime': {'allowusers': BOT_ADMINS}, }

DIVERT_TO_PRIVATE = ('help', 'about', 'status', 'secnews', 'vulnnews', 'ransom', 'threat', 'aptgroup', 'cve', 'hacktool')

At this time you should be able to test your Errbot by starting it with errbot and have a chat with it in your cybot app in Slack. You can shut it down by using Ctrl+C or !shutdown --confirm

Add Cybot plugins

Now that the basic installation is complete, add in the Cybot plugins from github. I found the easiest way to do this is to just clone the Cybot repository. One issue with this is if you make changes to the plugins and pull a new copy of the repository down then you will lose those changes.

cd ~/errbot-root
git clone

Some plugins like VirusTotal require an API key which can be added in by making a change to the appropriate plugin, with the above note in mind. It appears that there have been no new plugins developed recently in any case.

Now restart errbot and enjoy.


I can see me interacting with this chatbot on a daily basis. Here are a few useful and handy ones.

Command Description
!commands List the CyBot commands you can use
!joke Tell a (dads) joke
!whois Perform a whois query against a domain or ip
!nslookup Perform DNS forward/reverse search
!geoip Perform a Geo Location search for an ip
!screenshot Get a screenshot via the service
!codename Generate a 2 worded codename

These are just a small subset of the commands available.