Skip to main content
Question

How to map the payload field to the SOAR Webhook Fields in Google SecOps SOAR? (Severity Mapping, Nested IfElse, and Storing Full JSON)

  • November 18, 2025
  • 2 replies
  • 55 views
jaymin
Forum|alt.badge.img+6

I need to create a webhook to ingest the alerts from my platform.

I have a few questions regarding the field-mapping capabilities:

  1. Mapping Severity:
    In the mapping section i didn’t see the alert severity field. I need to map that field from my json payload. 

  2. Nested If-Else Support:
    Does the Expression Builder support nested if-else conditions?
    Something like:

    IF(condition1, IF(condition2, valueA, valueB), valueC )

  3. Combining fields:

    Also can i combine few of the fields like classification, id, timestamp fields from my payload to create Alert title? e.g. suscpicios 1.2.3.4 at time.

  4. Store Full JSON Response:
    Is there any method to store or dump the entire webhook JSON payload into a field inside the Event object?
    This would allow me to reference additional fields later inside playbooks, even if they aren’t individually mapped during ingestion.

Any guidance or best practices on how to achieve these mappings would be greatly appreciated!

2 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • December 1, 2025

Take a look at these docs and community posts for some help here:
Set up a webhook
Else if condition SecOps
create entities from data ingested via webhook
No Raw Event Data for Webhook Ingested event
Create a custom connector
 

jaymin
Forum|alt.badge.img+6
  • jayminBronze 5
  • Author
  • Bronze 5
  • December 8, 2025

Hi ​@kentphelps 

Thanks for the response and the documentation links!

I was able to successfully map the **rawEvent** data in the Alert, which addresses point #4. However, I'm still facing challenges with the other points:

---

### 1. Missing Field Mappings in Webhook Configuration

In the Alert object, I can see several fields that I'd like to populate:
- Severity
- Product Name
- Risk Score
 

However, these fields don't appear in the webhook field mapping options. Are these fields supported for webhook mapping? If so, how can I access them?

This is especially important for **Severity** mapping since I need to set alert priority based on my payload's `classification` field.

---

### 2. Nested If-Else in Expression Builder

The documentation mentions `IfThenElse` support, but I couldn't find specific guidance on **nested conditions** for webhook field mappings.

I'm trying to map severity based on the `classification` field from my payload using nested `IfThenElse` like this:

```
classification | ifthenelse("=","malicious","CRITICAL", ifthenelse("=","suspicious","HIGH", ifthenelse("=","benign","MEDIUM", ifthenelse("=","unknown","LOW","NONE"))))
```

**Expected behavior:** Map classification values to severity levels:
- `malicious` → `CRITICAL`
- `suspicious` → `HIGH`
- `benign` → `MEDIUM`
- `unknown` → `LOW`

**Actual result:** Returns `[object Object]` instead of the expected string value.

Is nested `IfThenElse` supported in webhook expression mappings? If not, is there an alternative approach to achieve this multi-condition mapping?

---

### 3. Combining Multiple Fields for Alert Name / Rule ID

I'd like to combine multiple payload fields to create a custom **Alert Name** or **Rule ID**. For example:

```
"[Platform] {classification} activity detected from {ip} at {timestamp}"
```

This would help me:
- Easily identify alerts from this specific webhook integration
- Trigger custom playbooks based on a naming convention or prefix

Is there a way to concatenate multiple fields in the expression builder? Something like:
```
"[Platform] " + classification + " - " + ip
```

---

Any guidance on these specific webhook mapping capabilities would be greatly appreciated!

Thanks!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.