SOC - Alert Ingestion (Cron) - Template Playbook Overview

this document provides detailed information about the soc alert ingestion (cron) template playbook, which leverages scheduled tasks to pull alerts from external systems, process them, and handle actions such as enrichment, correlation, and case creation users need to configure only the following components placeholder create teds alert list custom alert data extension (cron) correlate (cron) note these playbooks can and should be duplicated and the placeholder create teds alert list component swapped out to match the technology stack in your organization this ensures the playbook works seamlessly with your chosen vendor’s tools overview objective automate scheduled alert ingestion using connectors, assets, and turbine logic key workflow steps alerts are ingested on a cron schedule, fetching data from external systems fetched alerts are standardized into teds objects each alert undergoes deduplication, enrichment, and correlation enriched and correlated alerts are used to create cases for investigation accessing the playbook to access the playbook navigate to orchestration in the swimlane platform click on playbooks select soc alert ingestion (cron) template loop based alert processing in the playbook the playbook processes alerts in a loop, ensuring each alert is uniquely processed here’s how it works alert ingestion a cron based schedule triggers the fetching of alerts from external systems data standardization raw alert data is converted into teds compliant objects using the placeholder create teds alert list component deduplication alerts are evaluated for uniqueness using the duplicate alert discovered (cron) component to avoid redundant processing enrichment the link knowledge base articles (cron) component associates relevant kbas with the alert the enrich observables (cron) component adds threat intelligence data to the alert’s observables correlation enriched alerts are correlated with existing data using the correlate (cron) component case creation based on predefined criteria, alerts are escalated into cases for further investigation configuring the key components of soc alert ingestion (cron) template placeholder create teds alert list purpose converts raw alerts fetched by the ingestion component into teds objects for further processing configuration open the placeholder create teds alert list component map the fields from the fetched alert data to the corresponding teds fields key fields include alert category specifies the type of alert (for example, phishing, malware) alert created timestamp timestamp of when the alert was created alert provider source system or tool generating the alert ensure all required teds fields are populated correctly for downstream processing inputs fetched alert data raw alert data from the ingestion process outputs teds object list list of standardized teds objects containing alert data, with fields such as alert category alert created timestamp alert provider custom alert data extension (cron) purpose takes the raw json payload of the incoming alert and adds new fields to a custom alert data object configuration open the custom alert data extension (cron) component define custom fields required for your organization's workflows for example custom alert id a unique identifier for alerts in your system enriched severity a recalculated severity score based on internal logic custom sla the unique sla values for a specific alert map additional fields from the fetched alert data to these custom fields ensure the output object is updated to include the new fields for correlation note in order to automatically map custom fields to the cim application, make sure the field names exactly match the field key values in the application definition otherwise, the playbook run results in an error input raw alert data json payload of the incoming alert outputs enriched alert teds object containing the enriched alert fields, including custom alert id enriched severity custom sla correlate (cron) purpose correlates the ingested and enriched alert data with existing data for better context and prioritization configuration open the correlate (cron) component map fields from the enriched teds object to the correlation logic key fields include mitre attack tactic/technique used for mapping to mitre frameworks alert impacted ip addresses ips involved in the alert alert impacted usernames user accounts affected by the alert define correlation rules and logic ensure the output object includes cim tracking ids and correlation context inputs enriched alert teds object containing enriched alert fields existing cim records existing data for correlation outputs cim tracking ids array of tracking ids for correlation correlation context additional contextual data testing and validation run the playbook manually to test the configuration of each component validate that the fetched alerts are correctly converted into teds objects custom fields are populated as expected correlation rules are applied correctly, and relevant data is matched review the playbook's output to ensure the processed alerts are accurate and ready for case creation debug and refine mappings as needed deployment activate the playbook after testing monitor execution logs to ensure smooth operation adjust configurations in the placeholder create teds alert list , custom alert data extension (cron) , and correlate (cron) components as requirements evolve this documentation outlines the configuration and usage of the soc alert ingestion (cron) playbook, focusing on the key components users need to configure for further assistance, consult the turbine documentation or contact your system administrator