Skip to main content

Threat CenterThreat Center Guide

Manually Send Case or Alert Information to Webhooks

Manually send case or alert information directly from the case or alert to third-party systems using webhooks.

The webhook message contains case or alert attributes in a key-value JSON format. Case or alert attributes sent include:

  • When the case or alert was last updated

  • Case or alert ID

  • A summary of the case or alert, including the number of related detections, triggered rules, MITRE ATT&CK® tactics and techniques, users, endpoints; the case or alert risk score; and the attribute by which related detections are grouped

  • Associated tags

  • Associated ATT&CK tactics and techniques

  • Associated Exabeam use cases

  • Associated users

  • Associated endpoints

  • Case or alert severity

  • Case stage; and, if the case is closed, the case closed reason

  • Queue

  • Assignee

  • Details for every related detection, including the detection type, associated Exabeam use case, associated triggered rules, approx_log_time, description, detection ID, associated source and destination users, associated source and destination IP addresses, and associated source and destination host names

To automatically send case or alert information to webhooks under specific situations and conditions you specify, create an Automation Management playbook where an action is Send all threat details via webhook.

  1. Ensure that you've added the webhook in Exabeam Security Operations Platform settings.

  2. In a case or alert, click Automations, then select Send to webhook.

    threatcenter-automations-sendtowebhook.png
  3. Select up to three webhooks to which you'll send case or alert information.

    To add additional webhooks, click Add a new webhook in settings. You're redirected to Exabeam Security Operations Platform settings. After you add the webhook, return to sending a webook in Threat Center. To retrieve the latest list of webhooks, click threatcenter-action-sendtowebhook-refresh.png.

  4. Click Send. This action is recorded in the case or alert history.