Integrating with SIEM
Guide to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.
First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.
For LogRhythm integration, initialize the Webhook Beat by following these instructions.
This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.
Configuring Outgoing Webhooks
Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).
Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.
Select the Settings tab on the top.
Select Change or Add next to the Webhook option.
Enter the URL to your webhook endpoint.
You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.
Adding Headers for Webhooks
You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.
Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.
When you have completed configuring your Webhook URL and Headers, click the Save button.
Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.
Nightfall Webhook Event Types
When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.
Event Name | Event Description |
---|---|
| An alert that triggers if there are new findings or if findings have been removed from the violation. |
| An alert that triggers when the violation is resolved. |
| An alert that triggers when a new violation is created. |
| An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the violation. |
Webhook Payload Examples
The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
The following are examples of a sample payload for remediations/actions that were taken on the above mentioned violations, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
Last updated