Contact sales
Details

This workflow ingests Corelight alerts via webhook, normalizes and parses the payload, and converts it into Custom Security Events within XDR. The events are promoted to Detection Findings and evaluated for incident generation. The workflow supports YARA, Suricata, Anomaly, Machine Learning, and Notice alerts, enabling consistent detection, correlation, and response across XDR without direct sensor integration. If you want to ingest custom alerts that you have made in Corelight, please edit the workflow to add a parser for the custom alerts you want to ingest.

Description

To setup this workflow, follow the directions below:

Create a webhook

  1. Go to Automate -> Triggers
  2. Click on the Webhooks tab
  3. Click on + New Webhook button on the right side
  4. Give it a meaningful name for your organization
  5. Leave everything else as default
  6. Click Save on the bottom right
    The page will refresh and give you the information you need to hit the webhook. Save the endpoint, headers, and API key for later.

Create a webhook rule

  1. Go back to the Automate -> Triggers page
  2. Click on the Automation Rules tab
  3. Under Rule type click on Other rules
  4. Click on + Add automation rule on the right side
  5. Change the Type to Webhook Rule
  6. Give it a meaningful name to your organization
  7. In the Select webhook dropdown, select the new webhook you created
  8. You may add a condition if you like, but it is not required. This can be useful if you want to limit what is able to use this webhook rule.
  9. In the Select worflow dropdown, select the Corelight - Ingest Alerts as Custom Network Security Events as the workflow
  10. Click Save on the bottom right.

After the two configurations above have been finished, we can go to Corelight and configure their webhook integration.

Corelight webhook configuration

  1. Log into Corelight Investigator
  2. Go to Settings -> Integrations
  3. Click on the Alert Exports tab
  4. Click ont he HTTP Exporter option
  5. Toggle on Enabled
  6. Provide a meaningful name for the exporter
  7. Provide the webhook URL that was saved for your exporter
  8. Specify the authentication type to be None
  9. Add a custom header of x-automate-api-key and paste the API key from the webhook in there
  10. Click Save

This integration is now configured and you will start to receive events via webhook from Corelight into Cisco XDR

Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Cisco XDR
About
Author
rymaclen@cisco.com
Version
v1.0
Intent
Custom Security Event
Average rating
No ratings yet
Authorship
Community
Contact and support information
rymaclen@cisco.com
External links

Content Licensing

Developer Community

Custom Network Ingestion