Ingested phishing email data using soar webhook
It created the simple event with all the json fields like json.headers
How to extract fields and create entities out of it ?
Solved
create entities from data ingested via webhook
+5Best answer by rodSOAR
Hello @kaushalpatel,
Looks like you are using the native to SOAR webhook ingestion method. Note that after you ingest your first alert, you will need to setup the ontology for these types of events to extract what would be the entities which you can later enrich using playbooks. You can read more about this specific process here.
This process is not retroactive, only alerts ingested after the ontology setup is completed will be parsed.
- Silver 2
If I understand correctly, you're either looking to integrate an email gateway using a webhook or ingest emails directly into SOAR.
If you're ingesting logs from an email gateway, ensure that the appropriate parser is assigned to handle those logs effectively.
If you choose to ingest emails via a webhook, you'll need to set up a parser to extract relevant entities (like IP addresses, usernames, URLs, etc.) from the incoming events. Once your parser is configured to extract these entities, SecOps will automatically identify and create entities as needed.
However, if your goal is to ingest emails from a mailbox into SOAR, I'd recommend using a connector, as it can automatically create cases for each ingested email and there you can control entities more efficient way. It will create all possible entities automatically. You can use IOC Extraction Action to create entities from mail body as well.
+5i use the material security email phishing detection platform.
i ingest cases via webhook. but it just create alert with the raw json and not showing any entities in the alert.
so looking a way to create the entity using any playbook action. as the raw event json fields can't be used to enrich url and hash without the actual entity details
+1Hello @kaushalpatel,
Looks like you are using the native to SOAR webhook ingestion method. Note that after you ingest your first alert, you will need to setup the ontology for these types of events to extract what would be the entities which you can later enrich using playbooks. You can read more about this specific process here.
This process is not retroactive, only alerts ingested after the ontology setup is completed will be parsed.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.