Configuring Telegram Alerts in Splunk

  1. Install Telegram Alert Action — either in Splunk through Settings -> Alert actions -> Browse more, or download from https://splunkbase.splunk.com/app/3703/ and install manually.
  2. Create a Telegram bot — message @BotFather in Telegram and use /newbot command to create a new bot. You will be asked for the bot name and bot handle, which must end with bot (eg. @my_notification_bot). Take a note of your new bot’s HTTP API token.
  3. Create a new group chat in Telegram — I couldn’t create an empty group to add my bot later, and had to initially invite one of my contacts to the group, then add the bot and remove the contact. Notifications from Splunk will be sent to this group chat, so invite anybody who should be getting the alerts.
    Once you add the bot to the group chat, open the following URL in the browser (replace XXXX:YYYY with your bot API token):
    https://api.telegram.org/botXXXX:YYYY/getUpdates
    In the JSON output find the Chat ID (XXXXX below, it might be a negative number) for your notification group chat:
    "chat":{"id":XXXXXXX,"title":"Your Telegram Group Chat Name"
  4. Now you have all the info you need to configure a Splunk Telegram alert action. Edit your Splunk alert and add Telegram Alert action, specify the Chat ID and the Telegram Bot ID (bot’s API token) as noted above. Configure the message to be sent, you can use Splunk’s tokens that insert text based on the results of the search (for example, $result.src$).

--

--

--

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Airman

Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

More from Medium

MIGRA Smart Contract code testing has completed

HyperSuggest — Your advanced keyword tool

Fundamentals of Top 10 Open Web Application Security Project — Part 2

Blog Link: Phase 0 Portfolio Project