DTEX Integration

The DTEX Agents can forward information to the SafeTitan On-Premise or Azure Orchestrator. Like other integrations, it does this via webhook. When setting up the DTEX alerting rules, a webhook URL can be specified to forward the information to the Orchestrator. The payload that is forwarded appears as follows:

"{

  ""dataset"": [

    {

      ""occurred_at"": ""2016-12-30T00:00:00-05:00"",

      ""hits"": [

        {

          ""category"": ""Obfuscation (Unusual File Deletes)"",

          ""severity"": ""High"",

          ""updated_at"": ""2017-06-06T23:09:45.851852+00:00"",

          ""risk_score"": 0.5,

          ""category_id"": ""DELETE"",

          ""id"":

""82d47a730e8a91cb0c812bd2965ca136728812e30334e081139715a2ee346e8b"",

        }

      ],

      ""activities_count"": 6,

      ""user_name"": ""dev\\gary"",

      ""user_risk_score"": 0.5

}]}"

The highlighted properties (user_name and category) are the only properties that the Orchestrator requires. These properties are used to identify the rule/alert that was triggered and the offending user. Depending on which Orchestrator you are using, the Orchestrator finds the identified user's email either from On-Premise Active Directory or Azure Active Directory. The URL for the webhook is configured as follows:

  • For the On-Premise Orchestrator, the URL format is:

    {Orchestrator Site Path}/api/SIEM/dtex/alert. (For example, this could be http://localhost:5555/api/SIEM/dtex /alert).

  • For an Azure-based setup, the URL format is:

    https://orchestrationapi.azurewebsites.net/api/event/dtex/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article