Otto  background

Using the Automox API to Fight Alert Fatigue With Beacons and Spider Bots

Those that work in the tech industry understand the incredible value that the current state of digital dashboards add to the business process. In the past, the appearance and capabilities of ‘dashboards’ were pretty abysmal and overwhelming. Anyone remember MRTG?

At Automox, we have dedicated a significant amount of time to ideating, updating, and improving the UI of our console. Specifically, we have designed our console to avoid what the medical industry refers to as alert fatigue. Alert fatigue results from individuals being bombarded by alerts that are often not critical and distracting. Unfortunately, this leads to desensitization and causes individuals to miss and ignore important updates or actions.

With the ever-increasing amount of data and tools available for use within the digital landscape, the reality is that even the best of us can have a hard time keeping up with action items stemming from the large quantity of alerts we receive every day. In the security information and event management (SIEM) world, this can start to happen when a system has not been tuned and too many alerts are delivered.

As I pondered this topic and its relation to Automox I thought, “What if there was a device that existed in the real world which displayed hosts that need patching by using Python and the Automox API?” As it turns out, I was able to create this device with the Onion Omega 2 IoT device.

Note - to try this at home, you will need an Onion IoT device and the OLED Expansion shield. You can find both of these things here. Onion makes set up easy by following their step by step guide.

TL;DR

If you want to skip the code below and see these physical alerts in action, check out the video below. This video shows how to use the Automox API to look for unpatched hosts. To demonstrate the capabilities of the Automox API, we’ve set up two real world examples of physical alerts; a police beacon light and a spider robot. If more than 5% of hosts have missing patches the spider will start walking across a desk, or the beacon light will begin to go off.


Step 1: Installing Prereqs

To do this yourself, the first thing you will need to do is log in and install Python3:

root@Omega-94A2:~# opkg update
root@Omega-94A2:~# opkg install python3
root@Omega-94A2:~# opkg install python3-pip
root@Omega-94A2:~# pip3 install requests
root@Omega-94A2:~# pip3 install prettytable
 

Step 2: Python

In a previous blog post, we introduced you to using the Automox API to find hosts with missing patches. To complete the task in this post, all we need to do is modify the script to display data on the OLED board. There is a python module that can be used to do this, but shell commands are much easier. We will call that with subprocess.

The function we’ll add is shown below. It uses oled-exp to write a message and send it to the screen:

def writeLCD(msg):
       oledMsg="oled-exp -i -c write \"{}\"".format(msg)
       sendMsg=(subprocess.Popen(oledMsg, shell=True, stdout=subprocess.PIPE).stdout.read()).strip()
 

Step 3: Running Code

The full code can be found here, but the usage is shown below:

usage: onion.py [-h] [--limit LIMIT] [--csv] [--table] [--lcd] [--light]
               apiKey
Automox API Example
positional arguments:
 apiKey         API Key
optional arguments:
 -h, --help     show this help message and exit
 --limit LIMIT  Limit results to X
 --csv           Output as CSV
 --table        Output as table
 --lcd           Output on Onion LCD
 

To query your domain, simply pass in the API key (found under Settings in the Automox Console) and --csv or --table:

Passing --lcd updates the physical IoT device. The device could sit on a desk and increase situational awareness, helping to avoid alert fatigue:

root@Omega-94A2:~#  ./onion.py 1112222333444555666  --lcd
 

Step 4: Sound the Alarm

IoT devices like the Onion allow us to go a step further. Here, we can make an old timey police light flash when there are hosts out of compliance. The one used in this demo can be purchased on Amazon, along with the Relay Expansion board from Onion.

Since the flashing light uses mains power, be very careful if you decide to copy this example. First, make sure it is disconnected from the wall. Then, unscrew the thumb switch, strip the ends, solder them so they do not fray, and attach to the relay:

Since this is mains power, best practice is to take an extra bit of caution. In this example, I used two pieces of 4”x3” plexi glass to make an enclosure. Be sure to make a hole for accessing the screw terminals on the relay:

Now, we are simply going to add an argument to the argparse function of --light and use the command line tool relay-exp. We’ll turn it on, sleep for 30 seconds and then turn it off:

def writeLight():
       lightCmd="relay-exp -i 0 1"
       sendLight=(subprocess.Popen(lightCmd, shell=True,  stdout=subprocess.PIPE).stdout.read()).strip()
       time.sleep(30)
       lightCmd="relay-exp -i 0 0"
       sendLight=(subprocess.Popen(lightCmd, shell=True, stdout=subprocess.PIPE).stdout.read()).strip()
 

Step 5: Spider Bot Fun

Why just stop with a flashing beacon light? There’s nothing that would grab a sysadmin's attention better than a spider bot walking across their desk. To do this, I used a cheap spider bot kit and simply hooked it up to the relay (see above). *Pro tip - you may wish to make the sleep shorter so it doesn’t walk right off of your desk.

Conclusion

While this was a lighthearted post, I always think it is worth presenting cyber intelligence in a manner that is easy to digest. I hope this post made your wheels start turning in terms of creating new and innovative ways to help fight alert fatigue. As always, feel free to email me if you have any questions: support@automox.com.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.