If you want to get email notifications from Intezer about escalated threats, you can read more about setting up or customizing your email notification settings here.
This article will walk you through the process of integrating Intezer's Webhook functionality, enabling you to streamline the delivery of triage results. By leveraging webhooks, you can receive real-time notifications of triage results and enhance your incident response capabilities.
What are Webhooks and the Benefit for Triage and Threat Escalation?
Webhooks are a mechanism that allows instant communication between applications. They facilitate the transmission of data and notifications from one system to another when specific events occur. By using webhooks for triage results delivery, you can enjoy several benefits, including:
- Real-time Notifications: Receive immediate updates on triage results, ensuring prompt awareness of identified threats.
- Streamlined Incident Response: Leverage real-time data to expedite your incident response processes and mitigate risks efficiently for escalated threats.
When Does Intezer Send Webhook Messages?
Intezer's system automatically sends an email when predefined criteria are met. By default, only unmitigated threats with high or critical risk levels will be escalated via wehbook.
Each organization has unique requirements, so you can customize the webhook settings and select additional risk levels to be notified upon in order to align with your specific needs. For example, you may select all risk levels in order to be notified on every triage result.
Message Format and Delivery
Intezer's system will send HTTP POST requests to the provided Webhook URL whenever a new triage result is available. The payload of the POST request will be in JSON format and will contain relevant information about the triage result.
HTTP method: POST
Headers:
| Content-Type | application/json |
| Authorization | <Optional Authorization header value> |
Body example:
Setting Up Intezer's Webhook Integration
To initiate the setup of the Webhook Integration, send an email to Intezer's support team at support@intezer.com. Include the following details:
-
- Webhook URL: Specify the URL where you want to receive triage results notifications. Ensure the endpoint is accessible and capable of handling incoming requests.
- Optional Authorization Header: If required, include an authorization header to authenticate the incoming requests and ensure secure communication.
In addition, if you wish to adjust the default notification criteria, you can specify it the email request.
Security Considerations
As you configure the Webhook integration, it is important to prioritize security. Here are some recommended security practices:
- Secure Connection: Use HTTPS for secure communication between Intezer and your endpoint.
- Authorization Header: Utilize an authorization header to validate the authenticity of the incoming notifications.
Expected response
💡Learn more about the available fields in the API docs page
| response_status | resolved_as_false_positive resolved_as_true_positive remediated requires_user_action escalated follow_up_required no_action_needed |
| risk_category | false_positive unwanted_software suspicious_activity to_investigate generic_threat critical inconclusive audited |
| alert_verdict | confirmed_threat memory_threat confirmed_riskware likely_true_positive unrecognized_software suspicious_behavior suspicious_script blocklisted_software custom_rule false_positive endpoint_offline file_not_accessible file_password_protected technical_issue_integration technical_issue_service alert_not_supported testing_activity inconclusive audited |