Cisco XDR - Run Threat Hunt for Webhook Content
This workflow will execute a threat hunt for the content of incoming webhooks. The content will be inspected for observables, the observables will be investigated, and then an incident will be created if any assets or targets were found during the investigation.
Description
This workflow will execute a threat hunt for the content of incoming webhooks. The content will be inspected for observables, the observables will be investigated, and then an incident will be created if any assets or targets were found during the investigation.
Note: After installing this workflow, you need to add it to a webhook automation rule for it to run. Webhooks require specifying a content type for the webhook content. If the content sent to the webhook does not include a "content-type" header and properly formatted content, it will be rejected.
Target: Conure APIs, Platform APIs
Steps:
- Inspect the webhook content for observables
- Deliberate each observable and keep track of the non-clean ones (if no non-clean observables, end the workflow)
- Run an investigation for the remaining observables and check if any impacted assets were found (if not, end the workflow)
- Create an incident and link it to the investigation
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR