Integration Examples

this guide provides step by step examples for integrating common security tools with ai soc each example includes configuration steps and troubleshooting tips splunk integration splunk is a common siem platform used for security monitoring and alerting integrate splunk with ai soc to automatically ingest security alerts and create signals integration methods method 1 webhook ingestion (recommended) use splunk's webhook capabilities to send alerts directly to ai soc in real time step 1 configure splunk alert action in splunk, create or edit a saved search that generates security alerts add a webhook alert action url your ai soc webhook endpoint url http method post authentication include api key or token in headers if required step 2 configure ai soc ingestion playbook navigate to orchestration → playbooks open soc alert ingestion (webhook) template configure the placeholder create teds alert (webhook) action map splunk fields to teds format ensure observable extraction is configured configure custom alert data extension (webhook) map splunk specific fields to signal fields preserve raw alert data for investigation step 3 test integration trigger a test alert in splunk verify the alert appears in signal triage check that observables are extracted correctly verify threat intelligence enrichment runs automatically method 2 bulk ingestion (cron) use scheduled searches to pull alerts in bulk on a regular interval step 1 configure splunk scheduled search create a saved search that returns security alerts schedule the search to run every 5 15 minutes configure the search to output results in a format ai soc can consume step 2 configure ai soc bulk ingestion playbook navigate to orchestration → playbooks open soc alert ingestion (cron) template configure placeholder create teds alert list set up api connection to splunk configure authentication (api token or credentials) map splunk search results to alert format configure cron schedule to match splunk search schedule step 3 configure splunk api access in splunk, create an api token or app with appropriate permissions configure the token in ai soc assets navigate to orchestration → assets create or update splunk asset with api credentials test connection troubleshooting alerts not appearing check webhook url, authentication, and playbook enablement observables not extracted verify field mappings in playbook configuration authentication errors verify api token permissions and expiration crowdstrike integration crowdstrike falcon is an edr/xdr platform integrate crowdstrike to ingest detection alerts and enrich signals with endpoint data integration methods method 1 webhook ingestion use crowdstrike's stream api or webhook capabilities to send detection alerts to ai soc step 1 configure crowdstrike stream api in crowdstrike falcon console, navigate to support → api clients and keys create a new api client with detection read and host read permissions note the client id and client secret step 2 set up detection stream use crowdstrike's stream api to subscribe to detection events configure a webhook endpoint that receives detection alerts url your ai soc webhook endpoint url format json step 3 configure ai soc ingestion playbook navigate to orchestration → playbooks open soc alert ingestion (webhook) template configure field mappings map host information to source ip observable map process information to file hash observable map mitre att\&ck techniques map severity to signal severity step 4 configure crowdstrike asset navigate to orchestration → assets create crowdstrike asset base url crowdstrike api url client id your crowdstrike api client id client secret your crowdstrike api client secret test connection method 2 using crowdstrike connector in investigation plans use crowdstrike connector actions in investigation plans to query endpoint data step 1 install crowdstrike connector navigate to library → swimlane content search for "crowdstrike" connector install the connector step 2 configure connector asset navigate to orchestration → assets configure crowdstrike asset with api credentials test connection step 3 use in investigation plans when generating investigation plans, hero ai will suggest crowdstrike actions such as get endpoint details list detections for host search for processes connecting to ip get process details troubleshooting authentication errors verify api client permissions and token expiration missing endpoint data check that host is visible in crowdstrike console timeout errors verify network connectivity and api rate limits threat intelligence provider integration integrate threat intelligence providers to enrich observables automatically virustotal integration step 1 obtain api key sign up for virustotal account navigate to api key section copy your api key step 2 configure asset navigate to orchestration → assets create virustotal asset api key your virustotal api key base url virustotal api url test connection step 3 configure enrichment playbook open soc enrich observables playbook ensure virustotal enrichment action is included configure as primary provider for file hashes (optional) recorded future integration step 1 obtain api credentials in recorded future, navigate to settings → api create api token note token and api url step 2 configure asset navigate to orchestration → assets create recorded future asset api token your recorded future token base url your recorded future api url test connection step 3 configure as primary provider navigate to orchestration → assets configure ti primary intelligence providers asset set recorded future as primary for ips and domains configure enrichment playbook to use primary providers general integration best practices webhook configuration security use https for all webhook endpoints implement authentication (api keys, tokens, or signatures) validate webhook payloads before processing rate limit webhook endpoints to prevent abuse reliability implement retry logic for failed webhook deliveries log all webhook receipts for audit purposes monitor webhook endpoint health set up alerts for webhook failures field mapping standardization map vendor specific fields to standardized signal fields preserve raw alert data in custom fields for investigation extract observables consistently across integrations map severity levels to ai soc severity scale observable extraction configure playbooks to extract all observable types (ips, domains, hashes, urls) validate observable formats before enrichment handle multiple observables per alert support nested observables in complex alert structures testing test scenarios send test alert from source system verify signal creation in ai soc check observable extraction verify threat intelligence enrichment test investigation plan generation validate field mappings common issues missing observables check extraction logic in playbook field mapping errors review field mappings and data types authentication failures verify credentials and permissions timeout errors check network connectivity and api rate limits related documentation docid b7njxu5xnzyrjcngqg5j initial setup and configuration docid\ dsdgtaqeg95dseaf2iat daily operational tasks docid\ cknuxqv85k9lu0ocqv218 common integration issues