Configure Ingestion Playbooks

ai soc includes template playbooks for alert and email ingestion these templates are designed to be duplicated and configured for your specific integrations the ai soc bundle also includes the ai ingestion application, which you can use to build vendor connectors from openapi specs and hero ai–assisted teds mapping for alert ingestion for the full guide to the ai ingestion widget (create connector components, run the ingestion process, map to teds), see docid 0p9qwz3o 0j5dnkpjugmq the template playbooks listed below should be duplicated first, then configured — do not edit the originals directly duplicating preserves the template for future reuse and keeps a clean baseline for additional integrations ai soc alert ingestion (cron) template purpose pull alerts in bulk from source systems on a schedule configuration steps duplicate the template playbook (do not edit the original) configure placeholder get teds alerts component set up connection to your alert source (siem, xdr, etc ) configure authentication (api keys, oauth, etc ) map source alert fields to teds format configure search parameters to fetch alerts configure ai soc extend teds alerts (bulk) template component map vendor specific fields to signal triage fields preserve raw alert data if needed add any custom field mappings configure ai soc correlate alerts component set correlation parameters (time windows, matching criteria) configure correlation rules enable the playbook and configure the cron schedule to match your alert source polling frequency flow fetch alerts → convert to teds → extend with custom fields → deduplicate → enrich observables → correlate → create/update signal records the playbook uses the ingest alert sensor which is triggered by the cron schedule ai soc alert ingestion (webhook) template purpose receive alerts in real time via webhook configuration steps duplicate the template playbook (do not edit the original) configure the webhook sensor navigate to orchestration → sensors find the ingest alert sensor (or create a new webhook sensor) note the webhook url provided configure authentication if required (api keys, tokens, etc ) enable the sensor configure placeholder get teds alerts component (in the playbook) map webhook payload fields to teds format ensure observable extraction is configured handle webhook payload structure configure ai soc extend teds alert component map vendor specific fields to signal triage fields preserve raw alert data in the alert raw json field add any custom field mappings configure ai soc correlate alerts component set correlation parameters (time windows, matching criteria) configure correlation rules flow receive webhook → convert to teds → extend with custom fields → deduplicate → enrich observables → correlate → create/update signal records after configuration, provide the webhook url to your alert source system (siem, xdr, and so on ) to start receiving alerts ai soc phishing ingestion (cron) template purpose process phishing emails in bulk from email sources on a schedule configuration steps duplicate the template playbook (do not edit the original) configure placeholder get teds emails component set up connection to email source (microsoft graph api, imap, etc ) configure authentication (oauth for microsoft graph, credentials for imap) configure email search parameters (folder, date range, filters) map email fields to email teds format configure ai soc extend teds alerts (bulk) template component map email specific fields to signal triage fields extract observables (urls, sender addresses, attachment hashes) preserve raw email data configure ai soc correlate alerts component set correlation parameters configure correlation rules for phishing emails enable the playbook and configure the cron schedule to check for new emails flow retrieve emails → convert to email teds → extend with custom fields → deduplicate → enrich observables → correlate → create/update signal records the playbook uses the ingest email sensor which is triggered by the cron schedule ensure your email source is accessible and authentication is properly configured post installation checklist after installation and initial configuration, verify \[ ] all applications are present and accessible \[ ] hero ai is enabled and accessible \[ ] threat intelligence assets are configured and tested \[ ] ingestion playbooks are duplicated and configured \[ ] test alerts can be ingested successfully \[ ] observables are extracted correctly \[ ] threat intelligence enrichment runs automatically \[ ] investigation plans can be generated \[ ] dashboards and reports are accessible related documentation docid\ p7qjquayekczhpxeppwcp your first signal investigation docid\ uosuzrpsl6hfe9d6br5az application walkthroughs docid\ vm1j5 5rzqx4lc0hqoaiv integration configuration examples docid\ cknuxqv85k9lu0ocqv218 common installation and configuration issues