By Adrian | September 27, 2020
Recently I attended a webinar in which the presenter from Blackberry Cylance was talking about this tool that they created called Cybot. This tool is a chatbot designed for SOCs to hopefully speed up triagae its offerings. Turns out Cybot is a pretty nifty tool and has integrations to various chat platforms like Slack and Microsoft Teams.
Installation Steps
There are a number of prereqs required to stand up this app. For this installation, I will install it into a Python virtual environment as per the installation guide. I am just using a stock VM, with Python 3 installed to do this.
Install errbot
If you do not have the virtualenv package installed you can install it with the following command:
sudo apt install -qy virtualenv
Setup the virtual environment with the following commands.
virtualenv --python `which python3` ~/.errbot-ve
source ~/.errbot-ve/bin/activate
~/.errbot-ve/bin/pip install errbot
Configure errbot
With the installation complete, configure errbot with the following commands.
mkdir ~/errbot-root
cd ~/errbot-root
errbot
Once you run errbot, you can now interact with it.
────────────────────────────────────────────────────────────────────────────────
You start as a bot admin in a one-on-one conversation with the bot.
Context of the chat
• Use !inroom to switch to a room conversation.
• Use !inperson to switch back to a one-on-one conversation.
• Use !asuser to talk as a normal user.
• Use !asadmin to switch back as a bot admin.
Preferences
• Use !ml to flip on/off the multiline mode (Enter twice at the end to send).
────────────────────────────────────────────────────────────────────────────────
[@CHANGE_ME ➡ @errbot] >>>
As a test, you should be able to run the following commands.
!tryme
!help
!about
You can kill off errbot by using:
!shutdown --confirm
Setup Cybot with Slack
To install Errbot with Slack integration use the following command. This is done inside of the python virtual environment.
sudo ~/.errbot-ve/bin/pip install errbot[slack]
Setup Slack Bot account
With Errbot installed and the inital configuration completed, now is the time to create an app integration with Slack.
Browse to https://my.slack.com/services/new/bot and enter in a botname, and press Add bot integration. I have called mine cybot. Very original, I know.
Take a note of the API Token (and dont share that with anyone) on the next page and complete any additional customisations such as image, full name etc. Press Save Integration.
Make configuration changes to Errbot
Make the following changes to the ~/errbot-root/config.py file. Update the items in <> with what is approprate for your installation.
import logging
BACKEND = 'Slack' # Errbot will start in text mode (console only mode) and will answer commands from there.
BOT_DATA_DIR = r'/home/<USER>/errbot-root/data'
BOT_EXTRA_PLUGIN_DIR = r'/home/<USER>/errbot-root/CyBot/plugins'
BOT_LOG_FILE = r'/home/<USER>/errbot-root/errbot.log'
BOT_LOG_LEVEL = logging.INFO
BOT_ADMINS = ('@BOTADMINUSER', )
BOT_IDENTITY = {
'token' : '<YOUR SLACK APP API KEY>',
}
CHATROOM_PRESENCE = ()
CHATROOM_FN = 'CyBot'
ACCESS_CONTROLS = {'private_plugin': {'allowprivate': ('#protected_room',)},
'uptime': {'allowusers': BOT_ADMINS}, }
DIVERT_TO_PRIVATE = ('help', 'about', 'status', 'secnews', 'vulnnews', 'ransom', 'threat', 'aptgroup', 'cve', 'hacktool')
At this time you should be able to test your Errbot by starting it with errbot and have a chat with it in your cybot app in Slack. You can shut it down by using Ctrl+C or !shutdown --confirm
Add Cybot plugins
Now that the basic installation is complete, add in the Cybot plugins from github. I found the easiest way to do this is to just clone the Cybot repository. One issue with this is if you make changes to the plugins and pull a new copy of the repository down then you will lose those changes.
cd ~/errbot-root
git clone https://github.com/cylance/CyBot.git
Some plugins like VirusTotal require an API key which can be added in by making a change to the appropriate plugin, with the above note in mind. It appears that there have been no new plugins developed recently in any case.
Now restart errbot and enjoy.
Commands
I can see me interacting with this chatbot on a daily basis. Here are a few useful and handy ones.
| Command | Description |
|---|---|
| !commands | List the CyBot commands you can use |
| !joke | Tell a (dads) joke |
| !whois | Perform a whois query against a domain or ip |
| !nslookup | Perform DNS forward/reverse search |
| !geoip | Perform a Geo Location search for an ip |
| !screenshot | Get a screenshot via the thum.io service |
| !codename | Generate a 2 worded codename |
These are just a small subset of the commands available.