The DTEX Agents can forward information to the SafeTitan On-Premise or Azure Orchestrator. Like other integrations, it does this via webhook. When setting up the DTEX alerting rules, a webhook URL can be specified to forward the information to the Orchestrator. The payload that is forwarded appears as follows:

"{

  ""dataset"": [

    {

      ""occurred_at"": ""2016-12-30T00:00:00-05:00"",

      ""hits"": [

        {

          ""category"": ""Obfuscation (Unusual File Deletes)"",

          ""severity"": ""High"",

          ""updated_at"": ""2017-06-06T23:09:45.851852+00:00"",

          ""risk_score"": 0.5,

          ""category_id"": ""DELETE"",

          ""id"":

""82d47a730e8a91cb0c812bd2965ca136728812e30334e081139715a2ee346e8b"",

        }

      ],

      ""activities_count"": 6,

      ""user_name"": ""dev\\gary"",

      ""user_risk_score"": 0.5

}]}"

The highlighted properties (user_name and category) are the only properties that the Orchestrator requires. These properties are used to identify the rule/alert that was triggered and the offending user. Depending on which Orchestrator you are using, the Orchestrator finds the identified user's email either from On-Premise Active Directory or Azure Active Directory. The URL for the webhook is configured as follows:

  • For the On-Premise Orchestrator, the URL format is:

    {Orchestrator Site Path}/api/SIEM/dtex/alert. (For example, this could be http://localhost:5555/api/SIEM/dtex /alert).

  • For an Azure-based setup, the URL format is:

    https://orchestrationapi.azurewebsites.net/api/event/dtex/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}