Integrating with SIEM
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
Last updated
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
Last updated
To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.
First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.
For LogRhythm integration, initialize the Webhook Beat by following these instructions.
This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.
Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).
Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.
Select the Settings tab on the top.
Select Change or Add next to the Webhook option.
Enter the URL to your webhook endpoint.
You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.
You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.
Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.
When you have completed configuring your Webhook URL and Headers, click the Save button.
Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.
When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.
exposure_update
An alert that triggers if there are new findings or if findings have been removed from the Nightfall Event.
resolution
An alert that triggers when the Nightfall Event is resolved.
violation
An alert that triggers when a new Nightfall Event is created.
remediation
An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the Nightfall Event.
The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
The following are examples of a sample payload for remediations/actions that were taken on the above mentioned Nightfall Events, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).