Skip to main content

SafeTitan

Logpoint Integration

Like other integrations, Alert webhooks are used for Logpoint. In most integrations, the webhook is performed as a POST in which a payload is received in the body. However, with Logpoint, this request is a GET (although POST would also work). Also, Orchestrator requires that the queries parameters be used to identify both the offending user and the rule/alert that have been violated. Thes queries parameters are: user and ruleName.

  • For On-Premise Orchestrator, the URL format is:

    {Orchestrator Site Path}/api/SIEM/logpoint/alert?user={username}&ruleName={rule-name}. (For example, this could be http://localhost:5555/api/SIEM/logpoint/alert?user={username}&ruleName={rule-name})

  • For the Azure-based setup, the URL format is:

    https://orchestrationapi.azurewebsites.net/api/event/splunk/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}&user={username}&ruleName={rule-name}

Provided Orchestrator receives the correct parameters, it can locate the user in the SafeTitan instance and the rule that had been violated.