SOC - Alert Ingestion (Webhook) - Template Playbook Overview

this document provides detailed information about the soc alert ingestion (webhook) template playbook, which ingests alerts via webhook events, processes them, and handles actions such as enrichment, correlation, and case creation users need to configure only the following components placeholder create teds alert (webhook) custom alert data extension (webhook) correlate (webhook) note these playbooks can and should be duplicated and the placeholder create teds alert list component swapped out to match the technology stack in your organization this ensures the playbook works seamlessly with your chosen vendor’s tools overview objective automate webhook based alert ingestion using turbine logic to process alerts and transform them into actionable items key workflow steps alerts are ingested through webhook events fetched alerts are standardized into teds objects each alert undergoes deduplication, enrichment, and correlation enriched and correlated alerts are used to create cases for investigation accessing the playbook to access the playbook navigate to orchestration in the swimlane platform click on playbooks select soc alert ingestion (webhook) template loop based alert processing in the playbook the playbook processes alerts triggered by incoming webhook events here’s how it works alert ingestion a webhook endpoint captures incoming alerts and passes them to the playbook data standardization the raw webhook data is transformed into teds compliant objects using the placeholder create teds alert (webhook) component deduplication alerts are evaluated for uniqueness using the duplicate alert discovered (webhook) component to avoid redundant processing enrichment the link knowledge base articles (webhook) component associates relevant kbas with the alert the enrich observables (webhook) component adds threat intelligence data to the alert’s observables correlation enriched alerts are correlated with existing data using the correlate (webhook) component case creation based on predefined criteria, alerts are escalated into cases for further investigation configuring the key components of soc alert ingestion (webhook) placeholder create teds alert (webhook) purpose converts raw webhook alerts into teds objects for further processing details this is a placeholder component that can be replaced with vics that output teds data configuration open the placeholder create teds alert (webhook) component map the fields from the webhook payload to the corresponding teds fields key fields include alert category specifies the type of alert (for example, phishing, malware) alert created timestamp timestamp of when the alert was created alert provider source system or tool generating the alert ensure all required teds fields are populated correctly for downstream processing inputs webhook payload raw json data from the webhook containing alert information outputs teds object standardized object containing the alert data, with fields such as alert category alert created timestamp alert provider custom alert data extension (webhook) purpose takes the raw json payload of the incoming alert and adds new fields to the alert teds object configuration open the custom alert data extension (webhook) component define custom fields required for your organization's workflows for example custom alert id a unique identifier for alerts in your system enriched severity a recalculated severity score based on internal logic map additional fields from the fetched alert data to these custom fields ensure the output object is updated to include the new fields for correlation in order to automatically map custom fields to the cim application, make sure the field names exactly match the field key values in the application definition otherwise, the playbook run results in an error inputs raw alert data json payload of the incoming alert outputs enriched alert teds object containing the enriched alert fields, including custom alert id enriched severity correlate (webhook) purpose correlates the ingested and enriched alert data with existing data for better context and prioritization configuration open the correlate (webhook) component map fields from the enriched teds object to the correlation logic key fields include alert teds object containing standardized alert data custom data object containing additional enriched fields define correlation rules and logic ensure the output object includes cim tracking ids an array of tracking ids for correlation correlation context additional context generated during correlation add correlation logic to the parallel node, followed by append variable and update variable nodes testing and validation simulate webhook events to test the playbook’s behavior validate that the fetched alerts are correctly converted into teds objects custom fields are populated as expected correlation rules are applied correctly, and relevant data is matched review the playbook's output to ensure the processed alerts are accurate and ready for case creation debug and refine mappings as needed deployment activate the playbook after testing monitor execution logs to ensure smooth operation adjust configurations in the placeholder create teds alert (webhook) , custom alert data extension (webhook) , and correlate (webhook) components as requirements evolve this documentation outlines the configuration and usage of the soc alert ingestion (webhook) playbook, focusing on the key components users need to configure for further assistance, consult the turbine documentation or contact your system administrator