tCell helps visualize application-layer risk by reporting on real-time attacks in the Rapid7 Insight Cloud. However, rather than requiring that security teams login to tCell on a regular cadence, tCell can be configured to notify me in real time of any suspicious activity. Personally, I like receiving Slack notifications for specific activities.
In order to configure alerts for Slack, I need to create a Slack destination for an incoming webhook by going here: https://my.slack.com/services/new/incoming-webhook/https://my.slack.com/services/new/incoming-webhook/ (Heads up… this may require privileged access from a Slack admin).
From there, I can enter a channel or a user to which tCell should send alerts… (I created a channel for my application). My lead engineer always recommends keeping my naming conventions consistent, so since my application is called Customer Portal, I named my channel: #tcell-alerts-customer-portal.
Now that my incoming webhook in Slack is configured, I return to the Customer Portal app in tCell. Then I select “Settings” -> “Alerts” (see pic below) and it brings me to this screen.
To decide which alerts I want to be notified about I click +Add, select the alert type and insert the webhook URL and respective channel. Then…. BOOM! I’m receiving my alerts on specific activity of interest from tCell in Slack rather than having to login to the tCell UI every time.
More helpful information on configuring alerts for tCell for Slack, Teams, SIEMs, etc. can be found here: https://docs.tcell.io/docs/newsfeed-and-alerts