Webhook integration is available for enterprise plans only.
You can create a custom webhook that receives Intezer Protect events and forward those events to another application such as SIEM, ticket management, or custom app.
The following Intezer Protect events can be exported via webhook:
- Alerts
Overview
After configuring the webhook, when Intezer Protect generates an alert, it automatically sends that alert to the URL endpoint you configure in the webhook. Intezer Protect sends an HTTP POST request with the payload in json format as shown in the following example:
{
"alert_id": "3a92fc3f-cfe5-4e95-b99b-164a42f59386",
"alert_type": "suspicious_command",
"severity": "medium",
"alert_details": {
"command": "nc"
},
"assets": [
{
"asset_id": "42d18e35-657a-4f87-8a75-6a0491cbbeda",
"hostname": "aks-workers-123456-vmss000000"
}
],
"process_details": {
"pid": 1337,
"ppid": 1,
"file_path": "/usr/bin/nc",
"command_line": "nc -kl -p 1337 -e echo",
"container_id": "388eac389f02a07d0c6b23062c5d44df3522440455c81a7b65bf0cad554a9733",
"container_name": "my_container",
"image_name": "my_image",
"pod_name": "my_pod",
"kubernetes_namespace": "kubernetes_namespace1"
},
"lotl_tactics": [
{
"name": "Exfiltration",
"link": "<https://attack.mitre.org/tactics/TA0010/>"
},
{
"name": "Command and Control",
"link": "<https://attack.mitre.org/tactics/TA0011/>"
}
],
"lotl_techniques": [
{
"name": "Exfiltration Over Alternative Protocol",
"link": "<https://attack.mitre.org/techniques/T1048/>"
},
{
"name": "Non-Application Layer Protocol",
"link": "<https://attack.mitre.org/techniques/T1095/>"
}
],
"created_at": "2021-05-13T14:30:33.392622",
"created_at_timestamp": 1620905433.392622,
"alert_url": "<https://protect.intezer.com/b5f37b90-f4a9-4b94-8b6c-b1617294ac38/alerts/3a92fc3f-cfe5-4e95-b99b-164a42f59386>"
}
The following table describes Intezer Protect payload elements:
| Field Name | Description | Type | Possible Values |
| alert_id | A unique identifier for the alert | string (uuid) | |
| alert_type | The type of the alert | string |
malicious_code fileless_malware suspicious_command |
| severity | The severity of the alert | string |
low medium high severe |
| alert_details.family | The associated malware family in case of a malware attack. Available only in malicious_code and fileless_malware alerts | string | |
| alert_details.command | The suspicious command triggered opening the alert. Available only in suspicious_command alert | string | |
| assets_details | A list of assets relevant to the alert opened | array | |
| asset_details.asset_id | A unique identifier of the asset | string (uuid) | |
| asset_details.hostname | The hostname of the asset | string | |
| created_at | An iso8601 format string of the time when the alert was created (in UTC) | string | |
| alert_url | A url that opens the alert in Intezer Protect | string | |
| process_details.pid | the pid of the process being alerted on | integer | |
| process_details.ppid | The ppid of the process being alerted on | integer | |
| process_details.file_path | The file_path of the process being alerted on | string | |
| pocess_details.command_line | The command line of the process being alerted on | string | |
| process_details.container_id | The container id in which the process being alerted on ran (optional) | string | |
| process_details.container_name | The container name in which the process being alerted on ran (optional) | string | |
| process_details.image_name | The image name of the container in which the alerting process ran on (optional) | string | |
| process_details.pod_name | Kubernetes pod name of the container in which the alerting process ran on (optional) | string | |
| process_details.kubernetes_namespace | The Kubernetes namespace the asset belongs to (optional) | string | |
| lotl_tactics.name | The name of the lotl tactic being used here (optional, usually MITRE tactic) | string | |
| lotl_tactics.link | A url leading to further explanation about the lotl tactic (optional) | string | |
| lotl_techniques.name | The name of the lotl technique being used here (optional, usually MITRE technique) | string | |
| lotl_techniques.link | A url leading to further explanation about the lotl technique (optional) | string |
Set up the Integration
Integration can be set up in the settings page.
Note:
It's required to allow the following IPs to set up this integration -
54.80.156.223
54.196.73.237
54.196.73.35