Setting up a webhook

Webhooks are a lightweight solution for pushing alerts from your organization into the platform. 

Cases with alerts ingested by webhooks appear in the platform with the same information as cases with alerts ingested using connectors.

Google recommends using either a connector or a webhook, but not both from the same source in order to avoid duplicates.

Using webhooks is recommended for scenarios where more basic mapping logic is required. For situations, where advanced mapping logic is required, Google recommends using connectors because it provides more advanced and flexible mapping options.

Setting up a webhook for your organization is relatively straightforward. The following use case focuses on using CrowdStrike as the platform through which to ingest alerts.

Set up a webhook to ingest alerts

  1. Navigate to SOAR Settings > Ingestion > Webhooks.
  2.  Click add Add incoming Webhook from the top left and create a new webhook. This example uses CrowdStrike.
    3. settingwebhook1
  3. After saving, it appears in the main page.
  4. Copy the webhook URL. You need to enter it in the CrowdStrike platform as the webhook destination.
    5. webhookparameters
  5. In the Data Mapping section, select Upload JSON sample (use the sample taken from CrowdStrike).
  6. The next stage is to map the Google Security Operations fields with the corresponding fields in the CrowdStrike JSON data uploaded on the right hand side of the page. For example, the mandatory Google Security Operations alert field: StartTime and then choose Detections.Last.Update. This appears in the Expression Builder. For more information on how the Expression Builder feature works, refer to Using the Expression Builder.
    You can further refine this field by adding in a function on the right hand side. For example, Date Format.
  7. Once the Detections.Last.Format appears in the Expression Builder you can click Run to see the results.
    This is all you need to do to map a field. You can now select another alert and the Start time is displayed with a green check to show that it's mapped.
  8. After you have mapped all the fields you need, click Save and then enable the webhook.

Testing the webhook

The Testing area provides the user with the ability to test the webhook end-to-end functionality, including detailed error descriptions if the webhook isn't working. 

  1. In the Testing tab, copy over the webhook URL that is displayed in the Parameters tab.
  2. Next, upload a JSON file with the relevant data.
  3. Click Run. The results display together with the output.

Configuring CrowdStrike platform

This use case takes you through the steps you need to carry out in CrowdStrike in order for the webhook to start ingesting alerts into the Google Security Operations platform.

  1.  Navigate to CrowdStrike Falcon dashboard.
    2. settingwebhook2
  2. Navigate to the Falcon store and install the Webhooks add-on.
    3. settingwebhook3
  3. Configure the webhook with the name and the webhook URL that you copied over from the Google Security Operations platform and click Save.
    4. settingwebhook4
  4. Navigate to the Workflows section.
    5. settingwebhook5
  5. Click Create a Workflow on the top right of the page.
  6. Select a trigger, such as New detection, and click Next.
    7. settingwebhook6
  7. Next, select Add Action.
    8. settingwebhook7
  8. In the Customize action section, select Notifications from the Action type menu and select Call webhook from the Action menu.
    9. settingwebhook8
  9. Select the name you added at the beginning and all necessary fields. Click Finish