Gatekeeper inqaba-security/gatekeeper
v1.x

Slack & Microsoft Teams

These are alerting sinks, not archival ones. The idea: the complete event stream flows to Sentinel/Wazuh for analysis and retention, while only events crossing a severity floor page a human in chat. Both default to minimum_severity: high, so out of the box the channel sees honeypot hits, brute force, enumeration and scanner detections — not every login.

Slack#

Create an incoming webhook for your alerts channel, then:

SIEM_SINKS=sentinel,slack
SIEM_SLACK_WEBHOOK=https://hooks.slack.com/services/T000/B000/xxxx
SIEM_SLACK_MIN_SEVERITY=high

Alerts render as Block Kit cards with a severity color bar:

🔴 Honeypot route accessed
─────────────────────────────────────────
Action:    honeypot_route_hit      Severity:  HIGH
Outcome:   failure                 Source IP: 203.0.113.9 (Oslo, NO)
Request:   GET /wp-login.php       Service:   shop (production)
MITRE:     T1595.003
{"honeypot_path":"wp-login.php","auto_blocked":true}

With GeoIP enrichment enabled, the source IP line includes city and country automatically.

Key Env Default
sinks.slack.webhook_url SIEM_SLACK_WEBHOOK
sinks.slack.minimum_severity SIEM_SLACK_MIN_SEVERITY high
sinks.slack.timeout 5

Microsoft Teams#

Microsoft retired the classic Office 365 connectors; the current mechanism is a Teams Workflows (Power Automate) webhook. Gatekeeper posts the standard message + Adaptive Card attachment envelope that these flows expect.

Create the webhook#

  1. In the target Teams channel: ⋯ → Workflows → "Post to a channel when a webhook request is received".
  2. Copy the generated HTTPS URL (a *.logic.azure.com address).
SIEM_SINKS=sentinel,teams
SIEM_TEAMS_WEBHOOK=https://prod-xx.westeurope.logic.azure.com/workflows/...
SIEM_TEAMS_MIN_SEVERITY=high

Alerts render as full-width Adaptive Cards with a fact table (action, severity, outcome, source IP + geo, user, request, service, MITRE technique, UTC timestamp) and the event context in monospace.

Key Env Default
sinks.teams.webhook_url SIEM_TEAMS_WEBHOOK
sinks.teams.minimum_severity SIEM_TEAMS_MIN_SEVERITY high
sinks.teams.timeout 5

Severity emoji legend#

Severity Indicator
critical 🚨
high 🔴
medium 🟠
low 🟡
info/debug ℹ️

Tuning the noise floor#

  • minimum_severity: critical — only brute_force_detected (and your critical custom events) page the channel.
  • minimum_severity: high (default) — adds honeypots, scanning, enumeration, lockouts, suspicious input.
  • minimum_severity: medium — adds form honeypots, rate-limit abuse, access denials. Usually too chatty for a paging channel; consider a second non-paging channel instead.

Remember that detections themselves are deduplicated (once per IP per window), so a scanner hammering you produces one alert per window, not hundreds.

Testing#

php artisan siem:test --sink=slack
php artisan siem:test --sink=teams

The test event ships at info severity directly to the sink, bypassing the severity floor — so it verifies connectivity without you having to lower the floor first.