Links

Stellar XDR Integration

Step 1 - Create Webhook for Stellar XDR
  • Visit the Webhooks page in Binalyze AIR,
  • Click the "+ New Webhook" button on the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select "Stellar XDR: Stellar XDR Webhook Parser" as the parser for this webhook,
  • Select an Acquisition Profile when InsightIDR activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
  • Click the "Save" button.
  • Copy the Webhook URL for Step 2.
Step 2 - Setting up Stellar XDR
Log in to Stellar Cyber.
  • Click System | Administration | Saved Scripts. The Script Template page appears.
  • Click Create to add a new script. The Add Script Template screen appears.
  • Enter the Name. Each script must have a unique name. This field does not support multibyte characters. You cannot edit the name after you submit it.
  • Choose a Tenant Name.
  • In the Script Body, call the script you created earlier. Change the AIR-WEBHOOK-URL with the one that you create in Step 1.
curl AIR-WEBHOOK-URL --header 'Content-Type: application/json' --data-raw {"result":{"host":{{_source.srcip}}"}}