Setting up a Webhook
Setting up a Webhook to ingest alerts is relatively straightforward. In the following use case we will focus on using CrowdStrike as the platform through which to ingest alerts.
Please note that the following Chronicle SOAR Webhook features are disabled:
* Logs
* JSON Mapper (must be enabled in Custom mode)
* Use Webhook Data
* JSON Path
To set up a Webhook to ingest alerts:
- Navigate from the gear icon to Webhooks.
- Click the plus icon from the top left and create a new Webhook. In this example, we will be using CrowdStrike.
- After saving, it will appear in the main screen.
- Copy over the Webhook URL as you will need to enter this in the CrowdStrike platform as the Webhook destination.
Note that the URL will no longer be visible once you save the Webhook - which is why we recommend you copying it over as soon as you create the Webhook. Having said that, you can always choose to create a new URL using the Refresh URL option if you save without copying.
- In the Data Mapping section, select Upload JSON sample. (You will have taken this sample from CrowdStrike)
- The next stage is to map the Chronicle SOAR fields with the corresponding fields in the CrowdStrike JSON data uploaded on the right hand side of the screen. Let's take the example of the mandatory Chronicle SOAR alert field: Start Time and then choose Detections.Last.Update. This will appear in the Expression Builder below. For more information on how the Expression Builder feature works, refer to Using the Expression Builder
You can further refine this field by adding in a function on the right hand side. For example, Date Format. - Once the Detections.Last.Format appears in the Expression Builder you can click Run to see the Results below.
Note that this is all you need to do to map a field, you can now select another alert and the Start time will display with a green tick to show that it's mapped. - Once you have mapped all the fields you need, make sure to Save and then Enable the Webhook.
Testing the Webhook
The Testing area provides the user with the ability to test the Webhook end to end functionality, including detailed error descriptions if the Webhook isn't working.
- In the Testing section, copy over the Webhook URL that displays in the Parameters section.
- Next, upload a JSON file with the relevant data.
- Click Run. The results display below together with the output.
Configuring CrowdStrike Platform
For this specific Use Case we will take you through the steps you need to carry out in CrowdStrike in order for the Webhook to start ingesting alerts into the Chronicle SOAR platform.
- Navigate to CrowdStrike Falcon Dashboard.
- Navigate to the Falcon store at this address and install the Webhooks addon.
- Configure the Webhook with the name and the Webhook URL that you copied over from the Chronicle SOAR platform and click Save.
- Navigate to the Workflows section.
- Click Create a Workflow on the top right of the screen.
- Select a trigger such as New Detection and click Next.
- Next, select Add Action.
- In the option to Customize Action, select Notifications and Call Webhook.
- Select the name you added at the beginning and all necessary fields. Click Finish.