Setting up a Webhook to ingest alerts is relatively straightforward. In the following use case we will focus on using CrowdStrike as the platform through which to ingest alerts.

Please note that the following Chronicle SOAR Webhook features are disabled:
* Logs
* JSON Mapper (must be enabled in Custom mode)
* Use Webhook Data
* JSON Path

To set up a Webhook to ingest alerts:

  1. Navigate from the gear icon to Webhooks.
  2.  Click the plus icon from the top left and create a new Webhook. In this example, we will be using CrowdStrike.
  3. After saving, it will appear in the main screen.
  4. Copy over the Webhook URL as you will need to enter this in the CrowdStrike platform as the Webhook destination.
    Note that the URL will no longer be visible once you save the Webhook - which is why we recommend you copying it over as soon as you create the Webhook. Having said that, you can always choose to create a new URL using the Refresh URL option if you save without copying.  
  5. In the Data Mapping section, select Upload JSON sample. (You will have taken this sample from CrowdStrike)
  6. The next stage is to map the Chronicle SOAR fields with the corresponding fields in the CrowdStrike JSON data uploaded on the right hand side of the screen.  Let's take the example of the mandatory Chronicle SOAR alert field: Start Time and then choose Detections.Last.Update. This will appear in the Expression Builder below. For more information on how the Expression Builder feature works, refer to Using the Expression Builder
    You can further refine this field by adding in a function on the right hand side. For example, Date Format.
  7. Once the Detections.Last.Format appears in the Expression Builder you can click Run to see the Results below.
    Note that this is all you need to do to map a field, you can now select another alert and the Start time will display with a green tick to show that it's mapped.
  8. Once you have mapped all the fields you need, make sure to Save and then Enable the Webhook.

Testing the Webhook

The Testing area provides the user with the ability to test the Webhook end to end functionality, including detailed error descriptions if the Webhook isn't working. 

  1. In the Testing section, copy over the Webhook URL that displays in the Parameters section.
  2. Next, upload a JSON file with the relevant data.
  3. Click Run. The results display below together with the output.


Configuring CrowdStrike Platform

For this specific Use Case we will take you through the steps you need to carry out in CrowdStrike in order for the Webhook to start ingesting alerts into the Chronicle SOAR platform.

  1.  Navigate to CrowdStrike Falcon Dashboard.
    Graphical user interface, application

Description automatically generated
  2. Navigate to the Falcon store at this address and install the Webhooks addon.
    Graphical user interface, application

Description automatically generated
  3. Configure the Webhook with the name and the Webhook URL that you copied over from the Chronicle SOAR platform and click Save.
    Graphical user interface, application

Description automatically generated
  4. Navigate to the Workflows section.
    Graphical user interface, email, website

Description automatically generated
  5. Click Create a Workflow on the top right of the screen.
  6. Select a trigger such as New Detection and click Next.
    Graphical user interface, text, application

Description automatically generated
  7. Next, select Add Action.
    Graphical user interface, application

Description automatically generated
  8. In the option to Customize Action, select Notifications and Call Webhook.
    A picture containing graphical user interface

Description automatically generated
  9. Select the name you added at the beginning and all necessary fields. Click Finish.