Like other integrations, Alert webhooks are used for Logpoint. In most integrations, the webhook is performed as a POST in which a payload is received in the body. However, with Logpoint, this request is a GET (although POST would also work). Also, Orchestrator requires that the queries parameters be used to identify both the offending user and the rule/alert that have been violated. Thes queries parameters are: user and ruleName.
-
For On-Premise Orchestrator, the URL format is:
{Orchestrator Site Path}/api/SIEM/logpoint/alert?user={username}&ruleName={rule-name}. (For example, this could be http://localhost:5555/api/SIEM/logpoint/alert?user={username}&ruleName={rule-name})
-
For the Azure-based setup, the URL format is:
https://orchestrationapi.azurewebsites.net/api/event/splunk/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}&user={username}&ruleName={rule-name}
Provided Orchestrator receives the correct parameters, it can locate the user in the SafeTitan instance and the rule that had been violated.