Integrating Graylog with Energy SOAR
You can send alerts from Graylog to Energy SOAR automatically. Integration with your instance of Energy SOAR only needs the URL and API key.
While configuring Greylog notifications choose HTTP Notification type and provide Energy SOAR URL to POST to when an Event occurs.
Additionally, depending on what data you are bringing into your Graylog instance, you can customize what data you want to add as observables attached to each alert.
By default, it only adds src_ip and dst_ip as ip type observables (where src_ip and dst_ip are field names from Graylog), but you can add as many as you want. This entirely depends on how you are normalizing your fields in Graylog. For example you can add: hash, URL, user-agent, filename, FQDN.
You can set the TLP for each observable. Once you begin running analyzers against your observables, this becomes important. You don’t necessarily want to send your sensitive data to all of your configured analyzers. You likely only want to send your more sensitive data to a subset of analyzers. This way, you can ensure that your Max TLP in Energy SOAR aligns with the TLP you are assigning to your observables.