Skip to content

TaigaWalk/Curated-RSS-Feeds

BranchesTags

Repository files navigation

RSS Security Alert Filter with JIRA Integration

This script monitors multiple RSS feeds for security alerts related to specific products and threats, then creates JIRA tickets with Slack notifications and automated acknowledgment workflows.

Features

  • Multi-Source RSS Filtering: Monitors BleepingComputer, CISA, HackerNews, Krebs, and DarkReading RSS feeds
  • Keyword Matching: Filters entries based on customizable product and threat keywords
  • Slack Integration: Posts formatted alerts to Slack with source, title, and JIRA ticket links
  • JIRA Integration: Creates JIRA tickets as subtasks linked to a security epic
  • Automated Acknowledgment: Monitors for thumbs up reactions and assigns tickets to the first person who acknowledges
  • Ticket Status Management: Automatically transitions tickets to "In Progress" upon acknowledgment
  • Duplicate Prevention: Uses cache files to avoid creating duplicate tickets
  • Acknowledgment Monitoring: Separate script to continuously check for acknowledgments and manage ticket assignments

Setup

1. Install Dependencies

pip install -r requirements.txt

2. Environment Variables

⚠️ IMPORTANT: This system is designed to run via GitHub Actions using GitHub Secrets. The scripts will automatically use environment variables from GitHub Secrets when deployed.

For local development and testing only, you can set the following environment variables:

# Slack Configuration
export SLACK_BOT_TOKEN="xoxb-your-slack-bot-token"
export SLACK_CHANNEL_ID="C1234567890"

# JIRA Configuration
export JIRA_URL="https://your-domain.atlassian.net"
export JIRA_EMAIL="[email protected]"
export JIRA_API_TOKEN="your-jira-api-token"
export JIRA_EPIC_KEY="ABC-123"  # The epic key where tickets will be created as subtasks
export JIRA_PROJECT_KEY="ABC"   # The project key for ticket creation

For Production Use: See the GitHub Actions Setup section below for proper deployment using GitHub Secrets.

3. Slack Bot Setup

The Slack bot requires the following scopes:

  • chat:write - To post messages
  • reactions:read - To monitor for thumbs up reactions
  • channels:history - REQUIRED to read message history for acknowledgment checking
  • groups:history - REQUIRED for conversations.history API (even for public channels)
  • mpim:history - REQUIRED for conversations.history API (even for public channels)
  • im:history - REQUIRED for conversations.history API (even for public channels)
  • channels:read - To read channel information
  • users:read - To get user information
  • users:read.email - To get user email for JIRA assignment

⚠️ Important: The channels:history, groups:history, mpim:history, and im:history scopes are all required for the acknowledgment system to work. Slack's conversations.history API requires all history scopes to be present, even when only accessing public channels.

Creating a Slack Bot

To set up the Slack bot for this system:

  1. Create a Slack App:

    • Go to api.slack.com/apps
    • Click "Create New App" β†’ "From scratch"
    • Give your app a name (e.g., "RSS Security Alert Bot")
    • Select your workspace

  2. Configure Bot Token Scopes:

    • Go to "OAuth & Permissions" in the left sidebar
    • Under "Scopes" β†’ "Bot Token Scopes", add all the required scopes listed above
    • Click "Install to Workspace" at the top of the page

  3. Get Your Bot Token:

    • After installation, copy the "Bot User OAuth Token" (starts with xoxb-)
    • This is your SLACK_BOT_TOKEN

  4. Invite Bot to Channel:

    • In your Slack workspace, invite the bot to the channel where you want alerts posted
    • Use: /invite @your-bot-name

  5. Get Channel ID:

    • Right-click on the channel name in Slack
    • Select "Copy link" and extract the channel ID from the URL
    • Or use the Slack API to get the channel ID

4. JIRA API Token Setup

  1. Go to Atlassian Account Settings
  2. Click "Create API token"
  3. Give it a label (e.g., "RSS Alert Bot")
  4. Copy the token and use it as JIRA_API_TOKEN

5. Epic Setup

Create a JIRA epic in your security project (e.g., "ABC-123") that will serve as the parent for all security alert tickets.

Usage

Run any of the filter scripts:

python filter_rss_bleeping.py
python filter_rss_cisa.py
python filter_rss_hackernews.py
python filter_rss_krebs.py
python filter_rss_darkreading.py

How It Works

1. RSS Processing

  1. RSS Parsing: Fetches and parses the RSS feed
  2. Keyword Filtering: Matches entries against customizable product and threat keyword lists
  3. Duplicate Check: Uses a cache file to track previously processed entries

2. Alert Creation

  1. JIRA Ticket Creation: For each new alert:
    • Creates a subtask under the specified epic
    • Sets medium priority
    • Includes comprehensive description with source link and detected keywords
    • Adds relevant labels
  2. Slack Notification: Posts formatted alerts to the configured Slack channel

3. Acknowledgment Workflow

  1. Reaction Monitoring: Continuously monitors for thumbs up reactions on the Slack message
  2. User Assignment: First person to react gets assigned the JIRA ticket (using their Slack email)
  3. Status Update: Ticket automatically transitions to "In Progress"
  4. Confirmation: Bot posts acknowledgment message in the Slack thread
  5. Cache Update: Updates the cache file with new entry links

Slack Message Format

Alerts are posted in a clean, consistent format with unique emojis for each source:

🧠 Source: BleepingComputer
Title: [Article Title]
JIRA Ticket: ABC-123

Source Emojis:

  • 🧠 BleepingComputer - Brain emoji for intelligence/security news
  • πŸ›‘οΈ CISA - Shield emoji for government security advisories
  • πŸ“° HackerNews - Newspaper emoji for tech news
  • πŸ” Krebs - Magnifying glass emoji for investigative journalism
  • πŸŒ™ DarkReading - Moon emoji for "dark" security news

The ticket number is a clickable link that takes you directly to the JIRA ticket.

Acknowledgment Workflow

  1. Alert Posted: Security alert appears in Slack with JIRA ticket link
  2. User Acknowledges: Team member reacts with thumbs up (πŸ‘)
  3. Automatic Assignment: First person to react gets assigned the JIRA ticket
  4. Status Update: Ticket automatically transitions to "In Progress"
  5. Confirmation: Bot posts acknowledgment message in the thread

Note: Only the first thumbs up reaction triggers the assignment and status change to prevent multiple assignments.

JIRA Ticket Structure

Each ticket includes:

  • Title: The RSS entry title (truncated if too long)
  • Description:
    • Source information and publication date
    • Original RSS description
    • Detected product and threat keywords
    • Action required section
    • Auto-generation timestamp
  • Type: Sub-task (linked to the security epic)
  • Priority: Medium
  • Labels: security-alert, rss-feed, [source], auto-generated, cti

Customization

Keywords

You can customize the keyword lists in each script:

  • PRODUCT_KEYWORDS: Add products and technologies your organization uses
  • THREAT_KEYWORDS: Add security threat terms that will trigger alerts
  • OTHER_KEYWORDS: Add company names, industry-specific terms, or other relevant keywords

JIRA Fields

You can customize the JIRA ticket creation by modifying the issue_data dictionary in the create_jira_ticket() function.

Troubleshooting

Common Issues

  1. JIRA Authentication Error: Verify your email and API token
  2. Epic Not Found: Ensure the epic key exists and is accessible
  3. Permission Issues: Verify the JIRA user has permission to create issues in the project
  4. Slack Bot Permissions: Ensure the bot has the required scopes, especially users:read.email
  5. Rate Limiting: JIRA has API rate limits; the script includes error handling

Debug Mode

The script includes detailed logging. Check the console output for:

  • βœ… Success messages for created tickets
  • ❌ Error messages for failed operations
  • πŸ“‹ Summary of created tickets
  • πŸ‘ Thumbs up detection and assignment messages

Files

Main Scripts

  • filter_rss_bleeping.py: BleepingComputer RSS filter
  • filter_rss_cisa.py: CISA advisories RSS filter
  • filter_rss_hackernews.py: HackerNews RSS filter
  • filter_rss_krebs.py: Krebs on Security RSS filter
  • filter_rss_darkreading.py: DarkReading RSS filter
  • check_acknowledgments.py: Monitors Slack for acknowledgments and manages JIRA ticket assignments

Support Files

  • requirements.txt: Python dependencies
  • .seen_entries_*.json: Cache files (auto-generated)
  • .message_ticket_mappings.json: Acknowledgment tracking file (auto-generated)
  • feeds/*.xml: Filtered RSS feed outputs

GitHub Actions Workflows

🎯 PRIMARY DEPLOYMENT METHOD: This system is designed to run via GitHub Actions using GitHub Secrets for secure credential management.

Each RSS source has its own GitHub Actions workflow that can be triggered manually:

  • πŸ”„ BleepingComputer RSS Filter - .github/workflows/rss-filter-bleeping.yml
  • πŸ”„ CISA RSS Filter - .github/workflows/rss-filter-cisa.yml
  • πŸ”„ HackerNews RSS Filter - .github/workflows/rss-filter-hackernews.yml
  • πŸ”„ Krebs RSS Filter - .github/workflows/rss-filter-krebs.yml
  • πŸ”„ DarkReading RSS Filter - .github/workflows/rss-filter-darkreading.yml
  • πŸ”„ Acknowledgment Monitor - .github/workflows/check-acknowledgments.yml

Setting up GitHub Actions (Recommended Production Setup)

  1. Add Secrets: Go to your repository Settings β†’ Secrets and variables β†’ Actions
  2. Add Required Secrets:
    • SLACK_BOT_TOKEN
    • SLACK_CHANNEL_ID
    • JIRA_URL
    • JIRA_EMAIL
    • JIRA_API_TOKEN
    • JIRA_EPIC_KEY
    • JIRA_PROJECT_KEY
  3. Run Workflows: Go to the Actions tab and manually trigger any workflow

Workflow Features

  • Manual Trigger: All workflows use workflow_dispatch for manual execution
  • Secure Credentials: Uses GitHub Secrets for secure credential management
  • Cache Management: Automatically caches seen entries to prevent duplicates
  • Error Handling: Continues execution even if cache save fails

Acknowledgment Monitoring System

The check_acknowledgments.py script provides continuous monitoring of Slack messages for acknowledgment reactions and automated JIRA ticket management.

Features

  • Message Monitoring: Checks the last 100 messages in the configured Slack channel
  • Pattern Recognition: Identifies JIRA ticket references using multiple patterns:
    • Standard bot format: JIRA Ticket: <***/browse/ABCTICKET-1975|ABCTICKET-1975>
    • Plain text references: ABCTICKET-1975
    • JIRA URLs: https://.../browse/ABCTICKET-1975
  • Reaction Detection: Monitors for thumbs up reactions (πŸ‘, +1, thumbs_up)
  • User Assignment: Automatically assigns JIRA tickets to the first person who acknowledges
  • Status Management: Transitions tickets to "In Progress" upon acknowledgment
  • Thread Management: Posts acknowledgment confirmations in Slack threads
  • Duplicate Prevention: Checks thread replies to avoid duplicate processing
  • File Management: Automatically cleans up old mappings (older than 24 hours)

Usage

python check_acknowledgments.py

How It Works

  1. Message Retrieval: Fetches recent messages from the configured Slack channel
  2. Ticket Detection: Identifies messages containing JIRA ticket references
  3. Acknowledgment Check: Looks for thumbs up reactions on ticket messages
  4. User Processing: Gets user information and email for JIRA assignment
  5. Ticket Management:
    • Assigns the ticket to the acknowledging user
    • Sets the "Triage Started" timestamp field
    • Transitions the ticket to "In Progress" status
  6. Confirmation: Posts acknowledgment message in the Slack thread
  7. Tracking: Maintains a mapping file to prevent duplicate processing

Example Workflow

The acknowledgment system handles two different scenarios:

Scenario 1: Immediate Acknowledgment (During RSS Script)

When someone acknowledges the alert while the RSS script is still running (within the 1-minute timeout):

Immediate Acknowledgment

Workflow Steps:

  1. Initial Alert: Security Team Bot posts a DarkReading security alert with JIRA ticket link
  2. Quick Acknowledgment: Team member (Taiga Walker) reacts with thumbs up πŸ‘ within 1 minute
  3. Immediate Processing: The RSS script's monitor_for_thumbs_up function detects the reaction
  4. Confirmation: Bot posts acknowledgment confirmation with user mention and checkmark βœ…

Scenario 2: Delayed Acknowledgment (After RSS Script)

When acknowledgment occurs after the RSS script has completed (handled by check_acknowledgments.py):

Delayed Acknowledgment

Workflow Steps:

  1. Initial Alert: Security Team Bot posts a Krebs security alert with JIRA ticket link
  2. Ticket Creation: Bot creates JIRA ticket and posts confirmation in thread
  3. Delayed Acknowledgment: Team member reacts with thumbs up πŸ‘ after RSS script timeout
  4. Background Processing: check_acknowledgments.py detects the reaction during its next run
  5. Confirmation: Bot posts acknowledgment confirmation with user mention and checkmark βœ…

Both scenarios result in the same outcome: automatic ticket assignment, status transition to "In Progress", and acknowledgment confirmation in the Slack thread.

Statistics and Reporting

The script provides detailed statistics including:

  • Number of JIRA ticket messages found
  • Messages skipped (already processed)
  • Messages checked for new acknowledgments
  • New acknowledgments processed

File Management

  • .message_ticket_mappings.json: Tracks processed messages and acknowledgments
  • Automatic Cleanup: Removes mappings older than 24 hours to prevent file bloat
  • Error Handling: Graceful handling of API failures and missing data

πŸ“¦ Current Feed Sources

Feed Source Script Path Output XML
Hacker News filter_rss_hackernews.py feeds/hackernews-products.xml
CISA Advisories filter_rss_cisa.py feeds/cisa-products.xml
BleepingComputer filter_rss_bleeping.py feeds/bleeping-products.xml
Krebs on Security filter_rss_krebs.py feeds/krebs-products.xml
Dark Reading filter_rss_darkreading.py feeds/darkreading-products.xml

πŸ“ Repository Structure

Curated-RSS-Feeds/
β”œβ”€β”€ .github/workflows/              # GitHub Actions workflows
β”‚   β”œβ”€β”€ rss-filter-bleeping.yml
β”‚   β”œβ”€β”€ rss-filter-cisa.yml
β”‚   β”œβ”€β”€ rss-filter-hackernews.yml
β”‚   β”œβ”€β”€ rss-filter-krebs.yml
β”‚   β”œβ”€β”€ rss-filter-darkreading.yml
β”‚   └── check-acknowledgments.yml
β”œβ”€β”€ feeds/                          # Generated RSS feed outputs
β”‚   β”œβ”€β”€ hackernews-products.xml
β”‚   β”œβ”€β”€ cisa-products.xml
β”‚   β”œβ”€β”€ bleeping-products.xml
β”‚   β”œβ”€β”€ krebs-products.xml
β”‚   └── darkreading-products.xml
β”œβ”€β”€ filter_rss_hackernews.py        # HackerNews RSS filter
β”œβ”€β”€ filter_rss_cisa.py              # CISA advisories RSS filter
β”œβ”€β”€ filter_rss_bleeping.py          # BleepingComputer RSS filter
β”œβ”€β”€ filter_rss_krebs.py             # Krebs on Security RSS filter
β”œβ”€β”€ filter_rss_darkreading.py       # DarkReading RSS filter
β”œβ”€β”€ check_acknowledgments.py        # Acknowledgment monitoring script
β”œβ”€β”€ requirements.txt                 # Python dependencies
β”œβ”€β”€ README.md                       # This file
β”œβ”€β”€ LICENSE                         # MIT License
└── .gitignore                      # Git ignore rules

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Test your changes
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

18 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages