DTEX Integration
The DTEX Agents can forward information to the SafeTitan On-Premise or Azure Orchestrator. Like other integrations, it does this via webhook. When setting up the DTEX alerting rules, a webhook URL can be specified to forward the information to the Orchestrator. The payload that is forwarded appears as follows:
"{
""dataset"": [
{
""occurred_at"": ""2016-12-30T00:00:00-05:00"",
""hits"": [
{
""category"": ""Obfuscation (Unusual File Deletes)"",
""severity"": ""High"",
""updated_at"": ""2017-06-06T23:09:45.851852+00:00"",
""risk_score"": 0.5,
""category_id"": ""DELETE"",
""id"":
""82d47a730e8a91cb0c812bd2965ca136728812e30334e081139715a2ee346e8b"",
}
],
""activities_count"": 6,
""user_name"": ""dev\\gary"",
""user_risk_score"": 0.5
}]}"
The highlighted properties (user_name and category) are the only properties that the Orchestrator requires. These properties are used to identify the rule/alert that was triggered and the offending user. Depending on which Orchestrator you are using, the Orchestrator finds the identified user's email either from On-Premise Active Directory or Azure Active Directory. The URL for the webhook is configured as follows:
For the On-Premise Orchestrator, the URL format is:
{Orchestrator Site Path}/api/SIEM/dtex/alert. (For example, this could be http://localhost:5555/api/SIEM/dtex /alert).
For an Azure-based setup, the URL format is:
https://orchestrationapi.azurewebsites.net/api/event/dtex/alert?code={api-key}&orchid={id-of-orchestrator-from-portal}&orgId={organisation-id-from-portal}