Webhooks are a lightweight solution for pushing alerts from your
organization into the platform.
Cases with alerts ingested by webhooks appear in the platform with the same
information as cases with alerts ingested using connectors.
Google recommends using either a connector or a webhook, but not
both from the same source in order to avoid duplicates.
Using webhooks is recommended for scenarios where more basic mapping logic is
required. For situations, where advanced mapping logic is required, Google
recommends using connectors because it provides more advanced and flexible
mapping options.
Setting up a webhook for your organization is relatively straightforward.
The following use case focuses on using CrowdStrike as the platform
through which to ingest alerts.
Set up a webhook to ingest alerts
Go to SOAR Settings > Ingestion > Webhooks.
Click
add
Add incoming Webhook.
Enter a name for the new webhook, and choose an environment.
Click Save.
This example uses CrowdStrike.
After saving, it appears in the main page.
Copy the webhook URL and note it for later use. You'll need it to enter
it in the CrowdStrike platform as the webhook destination.
In the Data Mapping section, select Upload JSON sample
(use the sample taken from CrowdStrike).
The next stage is to map the Google Security Operations fields with the
corresponding fields in the CrowdStrike JSON data uploaded on the right
hand side of the page. For example, the mandatory Google SecOps alert
field: StartTime and then choose Detections.Last.Update. This
appears in the Expression Builder. For more information on how the
Expression Builder feature works, refer to
Using the Expression Builder.
You can further refine this field by adding in a function on the right hand
side. For example, Date Format.
Once the Detections.Last.Format appears in the Expression Builder
you can click Run to see the results.
This is all you need to do to map a field. You can now select
another alert and the Start time is displayed with a green check to show that
it's mapped.
After you have mapped all the fields you need, click Save and then
enable the webhook.
Testing the webhook
The Testing area provides the user with the ability to test the webhook
end-to-end functionality, including detailed error descriptions if the
webhook isn't working.
In the Testing tab, copy over
the webhook URL that is displayed in the Parameters tab.
Next, upload a JSON file with the relevant data.
Click Run. The results display together with the output.
Configuring CrowdStrike platform
This use case takes you through the steps you need to carry out in
CrowdStrike in order for the webhook to start ingesting alerts into the
Google SecOps platform.
Navigate to CrowdStrike Falcon dashboard.
Navigate to the Falcon store and install the Webhooks add-on.
Configure the webhook with the name and the webhook URL that you copied
over from the Google SecOps platform and click Save.
Navigate to the Workflows section.
Click Create a Workflow on the top right of the page.
Select a trigger, such as New detection, and click Next.
Next, select Add Action.
In the Customize action section, select Notifications from
the Action type menu and select Call webhook from the
Action menu.
Select the name you added at the beginning and all necessary fields.
Click Finish.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eWebhooks are a lightweight method for pushing alerts from an organization into the Google SecOps platform, suitable for scenarios requiring basic mapping logic.\u003c/p\u003e\n"],["\u003cp\u003eSetting up a webhook involves creating it in Google SecOps, copying its URL, and configuring it in the source platform (like CrowdStrike) to send alerts.\u003c/p\u003e\n"],["\u003cp\u003eData mapping within Google SecOps requires uploading a JSON sample from the source and then mapping the source fields to the corresponding Google Security Operations fields using the Expression Builder.\u003c/p\u003e\n"],["\u003cp\u003eTesting the webhook's functionality involves using the provided testing tab, including copying over the URL, uploading a JSON file, and running the test.\u003c/p\u003e\n"],["\u003cp\u003eTo avoid duplicate alerts, it is recommended to use either a connector or a webhook, but not both, from the same source.\u003c/p\u003e\n"]]],[],null,["# Set up a webhook\n================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nWebhooks are a lightweight solution for pushing alerts from your\norganization into the platform.\n\nCases with alerts ingested by webhooks appear in the platform with the same\ninformation as cases with alerts ingested using connectors.\n\nGoogle recommends using either a connector *or* a webhook, but not\nboth from the same source in order to avoid duplicates.\n\nUsing webhooks is recommended for scenarios where more basic mapping logic is\nrequired. For situations, where advanced mapping logic is required, Google\nrecommends using connectors because it provides more advanced and flexible\nmapping options.\n\nSetting up a webhook for your organization is relatively straightforward.\nThe following use case focuses on using CrowdStrike as the platform\nthrough which to ingest alerts.\n\nSet up a webhook to ingest alerts\n---------------------------------\n\n1. Go to **SOAR Settings \\\u003e Ingestion \\\u003e Webhooks**.\n2. Click add **Add incoming Webhook**.\n3. Enter a name for the new webhook, and choose an environment.\n4. Click **Save**.\nThis example uses CrowdStrike. \n[](/static/chronicle/images/soar/settingwebhook1.png) After saving, it appears in the main page. \n5. Copy the webhook URL and note it for later use. You'll need it to enter it in the CrowdStrike platform as the webhook destination. \n[](/static/chronicle/images/soar/webhookparameters.png) **Note:** The URL is no longer visible after you save the webhook, which is why it is recommended that you copy it over as soon as you create the webhook. You can create a new URL by clicking cached **Generate New URL** if you save without copying.\n6. In the **Data Mapping** section, select **Upload JSON sample** (use the sample taken from CrowdStrike).\n7. The next stage is to map the Google Security Operations fields with the corresponding fields in the CrowdStrike JSON data uploaded on the right hand side of the page. For example, the mandatory Google SecOps alert field: **StartTime** and then choose **Detections.Last.Update** . This appears in the Expression Builder. For more information on how the Expression Builder feature works, refer to [Using the Expression Builder](/chronicle/docs/soar/respond/working-with-playbooks/using-the-expression-builder). \n You can further refine this field by adding in a function on the right hand side. For example, Date Format.\n8. Once the **Detections.Last.Format** appears in the Expression Builder you can click **Run** to see the results. \n This is all you need to do to map a field. You can now select another alert and the Start time is displayed with a green check to show that it's mapped.\n9. After you have mapped all the fields you need, click **Save** and then enable the webhook.\n\n### Testing the webhook\n\nThe Testing area provides the user with the ability to test the webhook\nend-to-end functionality, including detailed error descriptions if the\nwebhook isn't working.\n\n1. In the **Testing** tab, copy over the webhook URL that is displayed in the **Parameters** tab.\n2. Next, upload a JSON file with the relevant data.\n3. Click **Run**. The results display together with the output.\n\n### Configuring CrowdStrike platform\n\nThis use case takes you through the steps you need to carry out in\nCrowdStrike in order for the webhook to start ingesting alerts into the\nGoogle SecOps platform.\n\n1. Navigate to CrowdStrike Falcon dashboard. \n[](/static/chronicle/images/soar/settingwebhook2.png)\n2. Navigate to the [Falcon store](https://falcon.crowdstrike.com/store-v2/) and install the Webhooks add-on. \n[](/static/chronicle/images/soar/settingwebhook3.png)\n3. Configure the webhook with the name and the webhook URL that you copied over from the Google SecOps platform and click **Save** . \n[](/static/chronicle/images/soar/settingwebhook4.png)\n4. Navigate to the **Workflows** section. \n[](/static/chronicle/images/soar/settingwebhook5.png)\n5. Click **Create a Workflow** on the top right of the page.\n6. Select a trigger, such as **New detection** , and click **Next** . \n[](/static/chronicle/images/soar/settingwebhook6.png)\n7. Next, select **Add Action** . \n[](/static/chronicle/images/soar/settingwebhook7.png)\n8. In the **Customize action** section, select **Notifications** from the **Action type** menu and select **Call webhook** from the **Action** menu. \n[](/static/chronicle/images/soar/settingwebhook8.png)\n9. Select the name you added at the beginning and all necessary fields. Click **Finish**.\n\n\u003cbr /\u003e\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
