Plugins & Alerting#
Plugins receive events from InfraGuard and dispatch real-time alerts. Built-in plugins: Discord, Slack, syslog.
Schema#
plugins:
- infraguard.plugins.builtin.discord
- infraguard.plugins.builtin.slack
plugin_settings:
discord:
enabled: true
event_filter:
only_blocked: false # true = only alert on blocked requests
min_score: 0.5 # minimum pipeline score to alert on
options:
webhook_url: "${DISCORD_WEBHOOK_URL}"
username: "InfraGuard"
slack:
enabled: true
event_filter:
only_blocked: true
min_score: 0.7
options:
webhook_url: "${SLACK_WEBHOOK_URL}"
channel: "#red-team-alerts"Discord#
Each event generates an embed with:
- Source IP and geolocation
- Pipeline score and filter that triggered the block
- Domain and path
- User-Agent
- Timestamp
High-value phishing.club events (credentials submitted, MFA captured) generate @here pings.
Slack#
Identical event data, delivered as Block Kit message to the configured channel.
Syslog#
Forwards structured log events to a syslog endpoint (UDP/TCP). Useful for SIEM ingestion.
plugins:
- infraguard.plugins.builtin.syslog
plugin_settings:
syslog:
enabled: true
options:
host: "siem.internal"
port: 514
protocol: "udp" # udp | tcp
facility: "local0"Event Filter#
only_blocked: true — only fire when the request was blocked (score ≥ threshold).
only_blocked: false — fire on all events. Combined with min_score: 0.5, this fires on:
- All blocked requests
- All suspected (scored but below threshold) requests
- Phishing.club credential captures (synthesized score 1.0)
- Burn indicators from CT/reputation monitors
Writing Custom Plugins#
Implement the InfraGuardPlugin interface:
from infraguard.plugins.base import InfraGuardPlugin, RequestEvent
class MyPlugin(InfraGuardPlugin):
async def on_event(self, event: RequestEvent) -> None:
# event.ip, event.domain, event.path, event.score,
# event.filter_result, event.metadata
await self.send_somewhere(event)Register in config:
plugins:
- mypackage.myplugin.MyPlugin