Even without using a SIEM/SOAR, the above URL can be used for starting an acquisition task simply by:
Visiting it with a web browser,
Adding it to the click action of an HTML button in your case management alert reports,
Creating a simple script for making a GET request to this address.
2. Webhook Parser
Webhook parsers require the trigger source to provide the endpoint information inside a JSON payload which is POSTed to the trigger.
Splunk Parser which is provided out-of-box is a very basic example of this. After adding a trigger URL as a POST workflow action, whenever Splunk generates an alert for an endpoint, it posts JSON alert data containing the endpoint information as a nested property which is parsed by the trigger parser. The parser then uses this information for starting an acquisition on the endpoint automatically. You can read Splunk POST Workflow Actions documentation for more information.
You can contact [email protected] for requesting additional trigger parsers for major SIEM/SOAR/EDR products.
Each created trigger contains a dedicated security token that can be revoked at any time.
Once you re-generate a security token, all previous integrations using the old security token will start receiving HTTP 401/Unauthorized.