SOC - Alert Ingestion (Webhook) - Template Playbook Overview

this document provides detailed information about the soc alert ingestion (webhook) template playbook, which ingests alerts via webhook events, processes them, and handles actions such as enrichment, correlation, and case creation users need to configure only the following components placeholder create teds alert (webhook) custom alert data extension (webhook) correlate (webhook) note these playbooks can and should be duplicated and the placeholder create teds alert (webhook) component swapped out to match the technology stack in your organization this ensures the playbook works seamlessly with your chosen vendor's tools overview objective automate webhook based alert ingestion using turbine logic to process alerts and transform them into actionable items key workflow steps alerts are ingested through webhook events fetched alerts are standardized into teds objects each alert undergoes deduplication, enrichment, and correlation enriched and correlated alerts are used to create cases for investigation accessing the playbook to access the playbook navigate to orchestration in the swimlane platform click on playbooks select soc alert ingestion (webhook) template loop based alert processing in the playbook the playbook processes alerts triggered by incoming webhook events here's how it works alert ingestion a webhook endpoint captures incoming alerts and passes them to the playbook data standardization the raw webhook data is transformed into teds compliant objects using the placeholder create teds alert (webhook) component deduplication alerts are evaluated for uniqueness using the duplicate alert discovered (webhook) component to avoid redundant processing enrichment the link knowledge base articles (webhook) component associates relevant kbas with the alert the enrich observables (webhook) component adds threat intelligence data to the alert's observables correlation enriched alerts are correlated with existing data using the correlate (webhook) component case creation based on predefined criteria, alerts are escalated into cases for further investigation configuring the key components of soc alert ingestion (webhook) placeholder create teds alert (webhook) purpose converts raw webhook alert payloads into teds (turbine extendable data schema) objects for further processing details this is a placeholder component that can be replaced with vendor specific integration components (vics) that output teds data configuration open the placeholder create teds alert (webhook) component configure the component to receive webhook payload data the component receives the webhook payload automatically when a webhook event is triggered map fields from the webhook payload structure to the corresponding teds alert fields configure any required transformations or data mappings ensure all required teds fields are populated correctly for downstream processing inputs webhook payload raw json data from the webhook containing alert information the webhook payload structure depends on your source system common fields in webhook payloads include alert id or unique identifier alert title or name alert description severity or priority level timestamp information source system information affected entities (ips, hosts, users) additional vendor specific fields note the webhook payload is automatically passed to the component when a webhook event is triggered you need to configure field mappings within the component to extract data from the payload and map it to teds fields outputs alert standardized teds alert object containing the alert data, with fields such as alert uid unique identifier for the alert alert title title or summary of the alert alert description detailed description of the alert alert category type of alert (e g , phishing, malware, suspicious activity) alert severity severity level of the alert alert risk score risk score associated with the alert alert created timestamp timestamp when the alert was created alert start timestamp alert start time alert end timestamp alert end time (if applicable) alert provider source system or tool that generated the alert alert organization organization identifier alert impacted ip addresses array of affected ip addresses alert impacted hostnames array of affected hostnames alert impacted usernames array of affected usernames alert mitre attack tactic technique mitre att\&ck mappings observables array of observable entities extracted from the alert raw alert raw alert data from the webhook payload important notes the component automatically receives the webhook payload when an event is triggered you must configure field mappings to extract data from your specific webhook payload format the webhook payload structure varies by vendor consult your source system's webhook documentation ensure the webhook endpoint is properly configured and secured the component transforms the webhook payload into teds format according to the alert schema example webhook payload mapping if your webhook payload looks like you would map id → alert uid title → alert title severity → alert severity timestamp → alert created timestamp source → alert provider custom alert data extension (webhook) purpose takes the raw json payload of the incoming alert and adds new fields to the alert teds object configuration open the custom alert data extension (webhook) component define custom fields required for your organization's workflows for example custom alert id a unique identifier for alerts in your system enriched severity a recalculated severity score based on internal logic map additional fields from the fetched alert data to these custom fields ensure the output object is updated to include the new fields for correlation inputs raw alert data json payload of the incoming alert (from webhook payload or previous component output) outputs enriched alert teds object containing the enriched alert fields, including custom alert id enriched severity all standard teds alert fields any additional custom fields you've configured correlate (webhook) purpose correlates the ingested and enriched alert data with existing data for better context and prioritization configuration open the correlate (webhook) component map fields from the enriched teds object to the correlation logic key fields include alert teds object containing standardized alert data custom data object containing additional enriched fields define correlation rules and logic ensure the output object includes cim tracking ids an array of tracking ids for correlation correlation context additional context generated during correlation add correlation logic to the parallel node, followed by append variable and update variable nodes inputs enriched alert teds object containing enriched alert fields custom data object containing additional custom fields outputs cim tracking ids array of tracking ids for correlation correlation context additional contextual data testing and validation simulate webhook events to test the playbook's behavior validate that the webhook payload is correctly received and parsed the fetched alerts are correctly converted into teds objects custom fields are populated as expected correlation rules are applied correctly, and relevant data is matched review the playbook's output to ensure the processed alerts are accurate and ready for case creation debug and refine mappings as needed testing tips use the webhook trigger's test functionality to send sample payloads verify that your webhook endpoint is accessible and properly secured check that field mappings correctly extract data from your webhook payload format validate that the output alert objects contain all required teds fields test with various alert types and payload structures deployment activate the playbook after testing configure the webhook endpoint url in your source system to point to the turbine webhook trigger monitor execution logs to ensure smooth operation adjust configurations in the placeholder create teds alert (webhook) , custom alert data extension (webhook) , and correlate (webhook) components as requirements evolve deployment considerations ensure the webhook endpoint is properly secured (authentication, https) configure rate limiting if your source system sends high volumes of alerts set up proper error handling and alerting for failed webhook processing monitor webhook delivery and processing to ensure alerts are being received correctly consider implementing webhook signature verification for security this documentation outlines the configuration and usage of the soc alert ingestion (webhook) playbook, focusing on the key components users need to configure