In the following usecase, we will focus on moving Traceable alerts to simplify using webhook.
Please note that in Phase One - the following Siemplify Webhook features are disabled:
* Logs
* JSON Mapper
* Use Webhook Data
* JSON Path
To set up a Webhook to ingest alerts:
- Navigate from the gear icon to Webhooks.
- Click the plus icon from the top left and create a new Webhook. In this example, we will be using Traceable.
- After saving, it will appear on the main screen.
- Copy over the Webhook URL as you will need to enter this in the Traceable platform as the Webhook destination.
Note that the URL will no longer be visible once you save the Webhook - which is why we recommend you copying it over as soon as you create the Webhook. Having said that, you can always choose to create a new URL using the Refresh URL option if you save without copying.
- In the Data Mapping section, select Upload JSON sample. (You will have taken this sample from Traceable)
- The next stage is to map the Siemplify fields with the corresponding fields in the Traceable JSON data uploaded on the right hand side of the screen. Let's take the example of the mandatory Siemplify alert field: Start Time and then choose Detections.Last.Update. This will appear in the Expression Builder below. For more information on how the Expression Builder feature works, refer to Using the Expression Builder
You can further refine this field by adding in a function on the right hand side. For example, Date Format. - Once the Detections.Last.Format appears in the Expression Builder you can click Run to see the Results below.
Note that this is all you need to do to map a field, you can now select another Siemplify alert and the Start time will display with a green tick to show that it's mapped. - Once you have mapped all the fields you need, make sure to Save and then Enable the Webhook.
Testing the Webhook
The Testing area provides the user with the ability to test the Webhook end-to-end functionality, including detailed error descriptions if the Webhook isn't working.
- In the Testing section, copy over the Webhook URL that displays in the Parameters section.
- Next, upload a Json file with the relevant data.
- Click Run. The results display below together with the output.
Configuring Traceable Platform
Now that all the components are configured we can create a channel to push notifications in the Traceable UI. First head to the user menu in the top right and click on "Administration" from there click into "Notifications" on the left hand side.
- Create a channel, here's where you'll give Traceable an avenue to push notifications. Copy the url of the lambda function from AWS and enter it under the "custom webhook" field as such:
- Configure the Webhook with the name and the Webhook URL that you copied over from the Siemplify platform and click Save.
- Now the last step is to create a notification. This controls what sort of events you'd like to have pushed to Splunk. Be sure to select the channel you created in the previous step for "Who should receive this notification" as outlined in the screenshot below.