Integrating with SIEM
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
Last updated
Was this helpful?
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
Last updated
Was this helpful?
To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.
First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.
For LogRhythm integration, initialize the Webhook Beat by following these .
This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.
Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).
Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.
Select the Settings tab on the top.
Click the Console Audit tab.
Click + Webhook.
Enter the URL to your webhook endpoint.
You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.
You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.
Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.
When you have completed configuring your Webhook URL and Headers, click the Save button.
Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.
When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.
exposure_update
resolution
violation
remediation
The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
Once the flag is enabled, please use the following steps to query the HEC Token within the URL String. For more information on Query string authentication from Splunk, please reference the docs .
Steps for setting up a ngrok tunnel can be found . If using a ngrok tunnel, the following command would generate a ngrok tunnel listening to the correct port and protocol for the collector:
An alert that triggers if there are new findings or if findings have been removed from the .
An alert that triggers when the is resolved.
An alert that triggers when a new is created.
An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the .
The following are examples of a sample payload for remediations/actions that were taken on the above mentioned , that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).