Generic SIEM/SOAR (Webhook)
Overview
Stairwell can push detection events to any HTTP endpoint that accepts JSON, making it straightforward to integrate with your existing SIEM, SOAR, or alerting infrastructure. When a configured event fires -- such as an AV engine match or a YARA rule hit -- Stairwell sends a JSON payload to the webhook URI you provide.
Supported event types:
- AV Scan Match -- An object was flagged by one or more antivirus engines.
- YARA Rule Match (Object Seen) -- A file matching an existing YARA rule was observed on an asset or uploaded by a user.
Each payload includes object hashes (SHA-256, SHA-1, MD5), file size, a direct link to the object in the Stairwell UI, the environment where the object was seen, and event-specific details.
Configure a Webhook
- Log in to the Stairwell platform.
- Select the Settings icon in the left navigation.
- Select the Environments tab.
- Locate the desired environment and select its gear icon.
- Select the Event Notifications tab.
- Select Add New Splunk Integration (this option is used for any generic webhook, not only Splunk).
- Paste your webhook URI.
- Click Create.
The integration is active immediately. Stairwell will POST JSON to your URI each time a matching event occurs in that environment.
Payload Schema
AV Scan Match
| Field | Description |
|---|---|
match_type | "av_scan_match" |
av_scan_results | Array of objects, each with engine_name and threat_found |
object_sha256 | SHA-256 hash of the detected file |
object_sha1 | SHA-1 hash |
object_md5 | MD5 hash |
object_size | File size in bytes |
object_link | Direct URL to the object in Stairwell |
seen_environment_name | Environment where the object was observed |
seen_environment_id | Environment ID |
triggers_settings | Link to the notification settings that fired this event |
description | Human-readable summary of the event |
YARA Rule Match
Includes all fields above (minus av_scan_results) plus:
| Field | Description |
|---|---|
match_type | "object_seen" |
rule_name | Name of the matching YARA rule |
rule_version | Version number of the rule |
rule_environment_name | Environment where the rule is defined |
rule_environment_id | Rule environment ID |
seen_asset | Hostname of the asset where the file was found |
seen_file_name | File name on disk |
seen_file_path | Full file path on the asset |
Testing the Integration
- Configure a webhook pointing to a request-inspection tool such as webhook.site or a local listener (
nc -l 8080). - Upload a known-malicious test file (such as the EICAR test file) to the target environment.
- Verify the JSON payload arrives at your endpoint within a few minutes.
- Once confirmed, replace the test URI with your production SIEM/SOAR endpoint.
Use Cases
- SIEM Ingestion -- Forward all detection events to Splunk, Sentinel, Elastic, or Chronicle for correlation with other log sources.
- SOAR Automation -- Trigger playbooks in Tines, Torq, XSOAR, or Swimlane to auto-enrich, quarantine, or escalate detections.
- Alerting -- Route webhooks to PagerDuty, Slack, or email via lightweight middleware for real-time analyst notification.
- Threat Hunting Pipelines -- Feed YARA match events into custom tooling for bulk triage or enrichment workflows.
Updated 5 days ago