Back to binalyze.com

LogicHub SOAR (DEVO) Integration

Step 1 - Creating A webhook for LogicHub SOAR (DEVO)

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name,

  • Select "LogicHub SOAR (DEVO) Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when the trigger activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button.

Step 2 - Navigate to DEVO Console

  • To define new alerts, you need to have a role with management permissions on Alert configuration and also in My Alerts or any of the subcategories (AdministrationRolesPermissions/Alerts tabs).

  • Alerts are tasks that continually monitor active queries to look for and report on specific events or conditions. Therefore, alerts are created from within the Data Search area where queries are made.

  • Open the required data table and perform the operations and filters necessary to identify the alert condition. Then, select New Alert Definition on the toolbar and fill in the required information as instructed in the section below. Click Create to save the alert.

  • The new alert is automatically associated with the default sending policy. If you want to choose a different one, go to Administration → Alert Configuration. Check the Manage defined alerts article to know how to do it.

  • You can also click on the Configure Alerts button on the message that appears right after creating the alert. Follow the instructions to create an alert in the alert window.

Step 3 - Create HTTP-JSON Delivery Method

  • HTTP-JSON type delivery methods send alerts to any server configured to receive JSON objects.

  • Alerts are encapsulated as a JSON object and sent using the POST request method over HTTP or HTTPS. If the destination server uses Digest access authentication, you can identify the user and password required for authentication.

  • Fill in the information required on the New Delivery Method window for this delivery method (for the creation process, visit Manage delivery methods.

Step 4 - Activate the delivery method

  • The new delivery method is saved in Pending status.

  • To activate it, you must introduce in Devo the HTTP validation code you will receive through the URL specified. This activation code must be validated on the server before the delivery method can be used.

  • Copy the code and then return to Devo's newly created delivery method. Click pending activation under the status column, paste the validation code into the Activation Code window, and click Apply.

  • Now associate this new delivery method with sending policies to start receiving alerts through this method.

PreviousRapid7 InsightIDR IntegrationNextFortigate SIEM Integration

Last updated