SOC - Alert Ingestion (Cron) - Template Playbook Overview

this document provides detailed information about the soc alert ingestion (cron) template playbook, which leverages scheduled tasks to pull alerts from external systems, process them, and handle actions such as enrichment, correlation, and case creation users need to configure only the following components placeholder create teds alert list custom alert data extension (cron) correlate (cron) note these playbooks can and should be duplicated and the placeholder create teds alert list component swapped out to match the technology stack in your organization this ensures the playbook works seamlessly with your chosen vendor's tools overview objective automate scheduled alert ingestion using connectors, assets, and turbine logic key workflow steps alerts are ingested on a cron schedule, fetching data from external systems fetched alerts are standardized into teds objects each alert undergoes deduplication, enrichment, and correlation enriched and correlated alerts are used to create cases for investigation accessing the playbook to access the playbook navigate to orchestration in the swimlane platform click on playbooks select soc alert ingestion (cron) template loop based alert processing in the playbook the playbook processes alerts in a loop, ensuring each alert is uniquely processed here's how it works alert ingestion a cron based schedule triggers the fetching of alerts from external systems data standardization raw alert data is converted into teds compliant objects using the placeholder create teds alert list component deduplication alerts are evaluated for uniqueness using the duplicate alert discovered (cron) component to avoid redundant processing enrichment the link knowledge base articles (cron) component associates relevant kbas with the alert the enrich observables (cron) component adds threat intelligence data to the alert's observables correlation enriched alerts are correlated with existing data using the correlate (cron) component case creation based on predefined criteria, alerts are escalated into cases for further investigation configuring the key components of soc alert ingestion (cron) template placeholder create teds alert list purpose queries alerts from external systems based on organization and time parameters, then converts the fetched alerts into teds (turbine extendable data schema) objects for further processing configuration open the placeholder create teds alert list component configure the required inputs organization (required) specify the organization identifier for the alerts you want to fetch this may be an organization id from your source system (e g , "org 12345" ) an organization name (e g , "security operations" ) a property reference from the playbook context (e g , {{ playbook organization }} ) a static value configured in your playbook start time (required) specify the start time for querying alerts this determines which alerts are fetched based on their creation or ingestion time the format depends on your source system and connector iso 8601 timestamp "2024 01 01t00 00 00z" relative time expression "1 hour ago" or "24 hours ago" (if supported by your connector) property reference {{ playbook start time }} or {{ playbook last run time }} note the component uses this parameter to query alerts created or ingested after this time for cron based ingestion, you typically want to fetch alerts since the last run inputs organization (required) organization identifier for filtering alerts from the source system start time (required) start time for querying alerts (determines the time range for alert retrieval) outputs alerts array of standardized teds alert objects, where each alert contains fields such as alert category type of alert (e g , phishing, malware, suspicious activity) alert created timestamp timestamp when the alert was created in the source system alert provider source system or tool that generated the alert alert uid unique identifier for the alert alert title title or summary of the alert alert description detailed description of the alert alert severity severity level of the alert alert risk score risk score associated with the alert additional teds compliant fields as defined by the alert schema important notes the component queries alerts from your configured source system (via connector/asset) using the organization and start time parameters the fetched alerts are automatically transformed into teds format according to the alert triage ingestion interface you may need to configure field mappings within the component if your source system's alert format differs from the standard teds schema ensure your connector/asset is properly configured to authenticate and access the source system the start time parameter is critical for incremental ingestion it ensures you only fetch new alerts since the last run, avoiding duplicate processing example configuration organization "org 12345" start time "2024 01 15t00 00 00z" or using playbook context organization {{ playbook organization }} start time {{ playbook last run timestamp }} custom alert data extension (cron) purpose takes the raw json payload of the incoming alert and adds new fields to a custom alert data object configuration open the custom alert data extension (cron) component define custom fields required for your organization's workflows for example custom alert id a unique identifier for alerts in your system enriched severity a recalculated severity score based on internal logic custom sla the unique sla values for a specific alert map additional fields from the fetched alert data to these custom fields ensure the output object is updated to include the new fields for correlation note in order to automatically map custom fields to the cim application, make sure the field names exactly match the field key values in the application definition otherwise, the playbook run results in an error input raw alert data json payload of the incoming alert outputs enriched alert teds object containing the enriched alert fields, including custom alert id enriched severity custom sla correlate (cron) purpose correlates the ingested and enriched alert data with existing data for better context and prioritization configuration open the correlate (cron) component map fields from the enriched teds object to the correlation logic key fields include mitre attack tactic/technique used for mapping to mitre frameworks alert impacted ip addresses ips involved in the alert alert impacted usernames user accounts affected by the alert define correlation rules and logic ensure the output object includes cim tracking ids and correlation context inputs enriched alert teds object containing enriched alert fields existing cim records existing data for correlation outputs cim tracking ids array of tracking ids for correlation correlation context additional contextual data testing and validation run the playbook manually to test the configuration of each component validate that the organization and start time inputs are correctly configured for the placeholder create teds alert list component the fetched alerts are correctly converted into teds objects custom fields are populated as expected correlation rules are applied correctly, and relevant data is matched review the playbook's output to ensure the processed alerts are accurate and ready for case creation debug and refine mappings as needed testing tips start with a recent start time to limit the number of alerts fetched during initial testing verify that the organization value matches your source system's organization identifier format check the component logs to ensure alerts are being fetched successfully validate that the output alerts contain all required teds fields deployment activate the playbook after testing monitor execution logs to ensure smooth operation adjust configurations in the placeholder create teds alert list , custom alert data extension (cron) , and correlate (cron) components as requirements evolve ensure the start time parameter is configured to support incremental ingestion (e g , using the last run timestamp) deployment considerations configure the cron schedule appropriately for your alert volume and requirements set up proper error handling and alerting for failed playbook runs monitor the playbook execution to ensure alerts are being processed correctly consider implementing a mechanism to track and update the start time parameter automatically based on the last successful run this documentation outlines the configuration and usage of the soc alert ingestion (cron) playbook, focusing on the key components users need to configure