Webhook Triggers
Webhook triggers are used to filter the threat intelligence entities that needs to be tracked for any event changes such as Create, Update, and Delete.
Before you begin
Role required: sn_sec_tisc.admin
Procedure
- Navigate to All > Threat Intelligence Security Center > Administration.
-
Select Webhooks Configurations > Triggers.
The Webhooks Triggers page displays.
-
Click New.
Field Description Name Enter a webhook trigger name. Description Add the description of the webhook trigger. Table Select the table for the webhook trigger. Trigger Type Defines whether the configured webhook trigger is either create/update/delete event on the specified table. Trigger Fields: This is displayed when you select the Trigger Type: Update.
These are the list of fields on the record for which the update event needs to be tracked. If this is empty, then the event is considered for any field change on the record. For example, if the trigger fields are Confidence and Reputation for the Observables table, then this trigger is considered only when confidence or reputation fields are updated.Note:The fields selected in the Exclusion Fields will not be available in the selection of Trigger Fields.Delete: If the Trigger Type: Delete then the Exclusion Fields is not visible.
Exclusion Fields These are the set of fields which are excluded from the webhook trigger payload. Filter Conditions Optional conditions that can be applied to filter the match records for any event trigger. For example, if threat severity is high and the Trigger Type is defined as Update on the Observable Table, then only those observables that are changed and where the threat severity is high are sent to the webhook URL. -
Click Save.
By default, the trigger is created in the disabled state.
-
Click Enable to enable the trigger and this trigger will be available for the webhooks to subscribe.
Note:Click Disable to disable the enabled trigger and disabling will unsubscribe all the associated webhooks from this trigger.
-
Click View Sample Payload to select the record.
View the sample payload of that particular webhook trigger. Based on the selected table, those records from that specified table will be populated in the Select Record drop down list. Select the record to view the sample payload. The sample payload is shown in the JSON format. The fields in the payload are listed below.
-
Select the type of record from the drop down list.
The payload will be automatically changed based on the record selected.
{ "record": "Observable", "record_fields": { "additional_context": "This could be a potential malicious IP. ", "attack_phases": "Lockheed Martin: Command and Control", "author": "Anomali", "confidence": "50", "description": "This could be a potential malicious IP. ", "expiration_time": "2024-12-01T00:00:00.000Z", "first_observed": "2024-01-01T00:00:00.000Z", "first_seen": "2024-01-01T00:00:00.000Z", "id": "ipv4-addr--70526b0a436a02102164e0ea78b8f210", "is_defanged": "false", "is_false_positive": "false", "last_observed": "2024-01-01T00:00:00.000Z", "last_seen": "2024-01-01T00:00:00.000Z", "reputation": "suspicious", "source_count": "1", "status": "active", "sys_created_by": "SecCommon.System", "sys_created_on": "2024-06-04T00:00:00.000Z", "sys_id": "30526b0a436a02102164e0ea78b8f210", "sys_updated_by": "system", "sys_updated_on": "2024-06-15T00:00:00.000Z", "tags": "critical", "taxonomies": "MITRE: T121", "threat_level": "medium", "threat_score": "24", "threat_severity": "medium", "tlp": "CLEAR", "type": "ip_v4_address", "usage_categories": "APT", "value": "116.98.170.70" }, "trigger": { "name": "Observable Update", "type": "UPDATE", "trigger_time": "2024-07-26T07:27:29.000Z", "trigger_fields": [ { "field_name": "confidence", "previous_value": "30", "current_value": "50" } ] } }Table 1. List of parameters in the trigger payload Parameter in Trigger Payload Type Description record String Specifies the record type such as Observable or Indicator. record_fields Object Specifies the record fields snapshot when the event is generated. For list of supported fields, refer to the table in the below section. trigger Object Specifies the matched trigger information. trigger.name String Specifies the name of the trigger trigger.type String Specifies the type of the trigger. Valid values are CREATE, UPDATE, DELETE. trigger.trigger_time Date (in ISO format with UTC timezone) Specifies the time of the event occurred on the record. trigger_fields Array of Objects This is available only for UPDATE trigger type. It specifies the list of trigger fields which got changed as part of the event occurred. The parameters inside trigger_fields are: - field_name: provides the field name which got changed
- previous_value: provides the previous value of the field.
- current_value: provides the current value of the field.
Table 2. List of supported fields for Create and Update Triggers Table Column Name Column Label Campaign aliases Aliases Campaign description Description Campaign first_seen First Seen Campaign last_seen Last Seen Campaign name Name Campaign objective Objective Indicator additional_context Additional Context Indicator attack_phases Attack Phases Indicator author Author Indicator confidence Confidence Indicator description Description Indicator expiration_time Expiration Time Indicator first_detected First Detected Indicator first_observed First Observed Indicator first_seen First Seen Indicator id ID Indicator indicator_types Indicator Types Indicator ioc_classification IOC Classification Indicator last_observed Last Observed Indicator last_seen Last Seen Indicator name Name Indicator pattern Pattern Indicator pattern_type Pattern type Indicator pattern_version Pattern Version Indicator platforms Platforms Indicator revoked Revoked Indicator source_count No of Sources Indicator spec_version Spec Version Indicator status Status Indicator tags TISC Tags Indicator taxonomies Taxonomies Indicator threat_level Threat Level Indicator threat_severity Threat Severity Indicator tlp TLP Indicator usage_categories Usage Categories Indicator valid_from Valid From Indicator valid_until Valid Until Malware aliases Aliases Malware attack_phases Attack Phases Malware description Description Malware executable_process_architectures Process Architectures Malware first_seen First Seen Malware implementation_languages Implementation Languages Malware is_family Is Family Malware last_seen Last Seen Malware malware_capabilities Malware Capabilities Malware malware_types Malware Types Malware name Name Object (Common Object Fields) additional_context Additional Context Object (Common Object Fields) confidence Confidence Object (Common Object Fields) expiration_time Expiration Time Object (Common Object Fields) id ID Object (Common Object Fields) revoked Revoked Object (Common Object Fields) source_count No of Sources Object (Common Object Fields) spec_version Spec Version Object (Common Object Fields) status Status Object (Common Object Fields) tags TISC Tags Object (Common Object Fields) taxonomies Taxonomies Object (Common Object Fields) threat_level Threat Level Object (Common Object Fields) threat_severity Threat Severity Object (Common Object Fields) tlp TLP Observable additional_context Additional Context Observable attack_phases Attack Phases Observable author Author Observable confidence Confidence Observable description Description Observable expiration_time Expiration Time Observable first_observed First Observed Observable first_seen First Seen Observable id ID Observable is_defanged Is Defanged Observable is_false_positive Is False Positive Observable last_observed Last Observed Observable last_seen Last Seen Observable reputation Reputation Observable source_count No of Sources Observable status Status Observable tags TISC Tags Observable taxonomies Taxonomies Observable threat_level Threat Level Observable threat_score Threat Score Observable threat_severity Threat Severity Observable tlp TLP Observable type Type Observable usage_categories Usage Categories Observable value Value Threat Actor aliases Aliases Threat Actor description Description Threat Actor first_seen First Seen Threat Actor goals Goals Threat Actor last_seen Last Seen Threat Actor name Name Threat Actor personal_motivations Personal Motivations Threat Actor primary_motivation Primary Motivation Threat Actor resource_level Resource Level Threat Actor secondary_motivations Secondary Motivations Threat Actor sophistication Sophistication Threat Actor threat_actor_roles Threat Actor Roles Threat Actor threat_actor_types Threat Actor Types Threat Report description Description Threat Report name Name Threat Report published Published Threat Report report_types Report Types Vulnerability affected_software Affected Software Vulnerability description Description Vulnerability exploitation_status Exploitation Status Vulnerability exploit_exists Exploit Exists Vulnerability name Name Vulnerability published Published Vulnerability record_last_modified Record Last Modified Vulnerability severity Severity Below is the list of system fields that are applicable which are in common for every entity, and these are supported in the Webhook Trigger Payload for Create and Update triggers.- sys_id (Sys ID)
- sys_created_on (Created)
- sys_created_by (Created By)
- sys_updated_on (Updated)
- sys_updated_by (Updated By)
Note:For the Delete, only sys_id (Sys ID) is sent to webhook endpoint URL as part of the payload and other system fields are not supported.Table 3. List of supported fields for Delete Trigger Table Column Name Column Label Observable type Type Observable value Value Indicator name Name Indicator pattern Pattern Indicator pattern_type Pattern type Indicator valid_from Valid from Campaign name Name Malware is_family Is family Malware name Name Threat Actor name Name Threat Report name Name Threat Report published Published Vulnerability name Name Vulnerability severity Severity