This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

create entities from data ingested via webhook

Posted on 10-28-2024 03:10 PM
kaushalpatel
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Ingested phishing email data using soar webhook 
It created the simple event with all the json fields like json.headers
How to extract fields and create entities out of it ?

Solved Solved
0 3 571
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
rodSOAR
Staff
Reply posted on --/--/---- --:-- AM

Hello @kaushalpatel,

Looks like you are using the native to SOAR webhook ingestion method. Note that after you ingest your first alert, you will need to setup the ontology for these types of events to extract what would be the entities which you can later enrich using playbooks. You can read more about this specific process here
This process is not retroactive, only alerts ingested after the ontology setup is completed will be parsed.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

If I understand correctly, you're either looking to integrate an email gateway using a webhook or ingest emails directly into SOAR.

If you're ingesting logs from an email gateway, ensure that the appropriate parser is assigned to handle those logs effectively.

If you choose to ingest emails via a webhook, you'll need to set up a parser to extract relevant entities (like IP addresses, usernames, URLs, etc.) from the incoming events. Once your parser is configured to extract these entities, SecOps will automatically identify and create entities as needed.

However, if your goal is to ingest emails from a mailbox into SOAR, I'd recommend using a connector, as it can automatically create cases for each ingested email and there you can control entities more efficient way. It will create all possible entities automatically. You can use IOC Extraction Action to create entities from mail body as well.

Jump to Solution

Posted on --/--/---- --:-- AM
kaushalpatel
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

i use the material security email phishing detection platform. 
i ingest cases via webhook. but it just create alert with the raw json and not showing any entities in the alert.
so looking a way to create the entity using any playbook action. as the raw event json fields can't be used to enrich url and hash without the actual entity details

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rodSOAR
Staff
Reply posted on --/--/---- --:-- AM

Hello @kaushalpatel,

Looks like you are using the native to SOAR webhook ingestion method. Note that after you ingest your first alert, you will need to setup the ontology for these types of events to extract what would be the entities which you can later enrich using playbooks. You can read more about this specific process here
This process is not retroactive, only alerts ingested after the ontology setup is completed will be parsed.

Jump to Solution
Top Solution Authors
View all