Webhooks are a lightweight solution for ingesting alerts from your
organization into the Google Security Operations SOAR platform.
Webhook-ingested alerts appear in the platform with the same information as alerts ingested using connectors.
Google recommends using either a connector or a webhook from the same source, but not both, to avoid creating duplicate cases.
Webhooks are best for scenarios that require basic mapping logic, while connectors are better for advanced and flexible mapping.
Set up a webhook to ingest alerts
The following use case focuses on using CrowdStrike as the platform
through which to ingest alerts.
To set up a webhook to ingest alerts, follow these steps:
Go to SOAR Settings > Ingestion > Webhooks.
Click
add
Add incoming Webhook.
Enter a name for the new webhook, and choose an environment.
Click Save.
This example uses CrowdStrike.
After saving, it appears on the main page.
Copy the webhook URL and note it for later use. You'll need it to enter
it in the CrowdStrike platform as the webhook destination.
Map data
In the Data Mapping section, click Upload JSON sample
(use the sample taken from CrowdStrike).
Map the Google Security Operations fields with the
corresponding fields in the CrowdStrike JSON fields. For example, the mandatory Google SecOps alert
field StartTime, select the CrowdStrike field Detections.Last.Update. This
appears in the Expression Builder. For more information, see
Use the Expression Builder.
Add a function (on the side) to further refine this field, for example, Date Format.
Once the Detections.Last.Format appears in the Expression Builder,
click Run to see the results.
The Start displays with a green checkmark, indicating that the field is mapped.
After you map all the necessary fields, click Save and then
enable the webhook.
Test the webhook
The Testing area lets you test the webhook's
end-to-end functionality, and provides detailed error descriptions.
In the Testing tab, copy
the webhook URL.
Upload a JSON file with the relevant data.
Click Run. The results display together with the output.
Use case: Configure the CrowdStrike platform
This use case takes you through the steps in
CrowdStrike for the webhook to start ingesting alerts into the
Google SecOps platform.
In the CrowdStrike Falcon dashboard, go to the Falcon store and install the Webhooks add-on.
Configure the webhook with the name and the webhook URL that you copied
from the Google SecOps platform and click Save.
Go to the Workflows section.
Click Create a Workflow.
Select a trigger, such as New detection, and click Next.
Select Add Action.
In the Customize action section, select Notifications from
the Action type menu and select Call webhook from the
Action menu.
Select the name you added in the initial step and all necessary fields, and then click Finish.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eWebhooks are a lightweight method for pushing alerts from an organization into the Google SecOps platform, suitable for scenarios requiring basic mapping logic.\u003c/p\u003e\n"],["\u003cp\u003eSetting up a webhook involves creating it in Google SecOps, copying its URL, and configuring it in the source platform (like CrowdStrike) to send alerts.\u003c/p\u003e\n"],["\u003cp\u003eData mapping within Google SecOps requires uploading a JSON sample from the source and then mapping the source fields to the corresponding Google Security Operations fields using the Expression Builder.\u003c/p\u003e\n"],["\u003cp\u003eTesting the webhook's functionality involves using the provided testing tab, including copying over the URL, uploading a JSON file, and running the test.\u003c/p\u003e\n"],["\u003cp\u003eTo avoid duplicate alerts, it is recommended to use either a connector or a webhook, but not both, from the same source.\u003c/p\u003e\n"]]],[],null,["Set up a webhook \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n*Webhooks* are a lightweight solution for ingesting alerts from your\norganization into the Google Security Operations SOAR platform.\n\nWebhook-ingested alerts appear in the platform with the same information as alerts ingested using connectors.\n\nGoogle recommends using either a connector or a webhook from the same source, but not both, to avoid creating duplicate cases.\n\nWebhooks are best for scenarios that require basic mapping logic, while connectors are better for advanced and flexible mapping.\n\nSet up a webhook to ingest alerts\n\n\nThe following use case focuses on using CrowdStrike as the platform\nthrough which to ingest alerts.\n\nTo set up a webhook to ingest alerts, follow these steps:\n\n1. Go to **SOAR Settings \\\u003e Ingestion \\\u003e Webhooks**.\n2. Click add **Add incoming Webhook**.\n3. Enter a name for the new webhook, and choose an environment.\n4. Click **Save**.\nThis example uses CrowdStrike. \nAfter saving, it appears on the main page. \n5. Copy the webhook URL and note it for later use. You'll need it to enter it in the CrowdStrike platform as the webhook destination. \n| **Note:** The webhook URL appears after you save. Copy this URL immediately, as its no longer visible once you leave the page. You'll need this URL to configure the webhook destination in the CrowdStrike platform. If you save without copying the URL, you can click cached **Generate New URL** to create a new one.\n\nMap data\n\n1. In the **Data Mapping** section, click **Upload JSON sample** (use the sample taken from CrowdStrike).\n2. Map the Google Security Operations fields with the corresponding fields in the CrowdStrike JSON fields. For example, the mandatory Google SecOps alert field **StartTime** , select the CrowdStrike field **Detections.Last.Update** . This appears in the Expression Builder. For more information, see [Use the Expression Builder](/chronicle/docs/soar/respond/working-with-playbooks/using-the-expression-builder). \n Add a function (on the side) to further refine this field, for example, **Date Format**.\n3. Once the **Detections.Last.Format** appears in the Expression Builder, click **Run** to see the results. \n The **Start** displays with a green checkmark, indicating that the field is mapped.\n4. After you map all the necessary fields, click **Save** and then enable the webhook.\n\nTest the webhook\n\nThe **Testing** area lets you test the webhook's\nend-to-end functionality, and provides detailed error descriptions.\n\n1. In the **Testing** tab, copy the webhook URL.\n2. Upload a JSON file with the relevant data.\n3. Click **Run**. The results display together with the output.\n\nUse case: Configure the CrowdStrike platform\n\nThis use case takes you through the steps in\nCrowdStrike for the webhook to start ingesting alerts into the\nGoogle SecOps platform.\n\n1. In the CrowdStrike Falcon dashboard, go to the [Falcon store](https://falcon.crowdstrike.com/store-v2/) and install the Webhooks add-on.\n2. Configure the webhook with the name and the webhook URL that you copied from the Google SecOps platform and click **Save** . \n3. Go to the **Workflows** section.\n4. Click **Create a Workflow**.\n5. Select a trigger, such as **New detection** , and click **Next**.\n6. Select **Add Action**.\n7. In the **Customize action** section, select **Notifications** from the **Action type** menu and select **Call webhook** from the **Action** menu.\n8. Select the name you added in the initial step and all necessary fields, and then click **Finish**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
