StackHawk

Overview

This document provides a detailed guide to integrating StackHawk with Callgoose SQIBS for real-time Incident Management, Incident Auto Remediation, Event-Driven Automation, and other automation purposes. The integration enables automatic creation, updating, and resolution of incidents in Callgoose SQIBS based on alerts triggered in StackHawk. The guide includes steps for setting up alerts in StackHawk, configuring webhook notifications, creating API filters in Callgoose SQIBS, and troubleshooting.

Prerequisites

• StackHawk Account: Access to StackHawk for creating alerts and managing notifications.
• Callgoose SQIBS Account: With valid privileges to set up API filters and receive notifications.
• Webhook/API Endpoint: Available in Callgoose SQIBS to receive alerts from StackHawk.

1. Obtain API Token and Endpoint Details

To integrate with Callgoose SQIBS, you first need to obtain an API token and find the API endpoint details.

• Generate an API Token:
• Follow the guide on How to Create API Token in Callgoose SQIBS.
• Find the API Endpoint:
• Refer to the Callgoose SQIBS API Endpoint Documentation to get the endpoint details where the JSON payloads from StackHawk will be sent.

2. Debugging and Troubleshooting

You can enable debugging in the API tokens used with StackHawk notifications for troubleshooting purposes.

• Enable Debugging:
• You can update the debug value when adding or updating an API token.
• When API tracking is enabled, logs are stored in the API log section for your review. The debugging option will automatically disable after 48 hours.
• When API tracking is turned off, no logs are saved in the API log.
• Using API Log for Troubleshooting:
• The API log provides detailed information on all API calls made to Callgoose SQIBS.
• You can check the JSON values in each API log entry for troubleshooting purposes.
• Use the information in the API log to create or refine API filters to ensure incidents are created correctly based on the API payloads received.
• Callgoose SQIBS creates incidents according to your API filter configuration, giving you full control over how alerts from different services trigger incidents and alerts for your support team or automation processes.

3. Configuring StackHawk to Send JSON Payloads

Follow these steps to set up monitoring, alerts, and webhook integrations in StackHawk, ensuring that the JSON payloads generated match the required format for Callgoose SQIBS.

3.1 Integration Steps

• Log into StackHawk
• Navigate to StackHawk and log in with your credentials.
• Connect Your Application
• From the StackHawk dashboard, connect your application using the provided integration.
• Follow the on-screen instructions to complete the setup.
• Configure the Webhook
• Click on Integrations in the StackHawk dashboard.
• Select Generic Webhook.
• Click on Add Webhook.
• Set Up Webhook Details
• Provide a Name and Description for the webhook.
• Select the applications for which you want to scan data.
• Choose the scan events that should trigger notifications.
• In the Auth Header Name, enter: Authorization.
• In the Auth Header Value, enter: Bearer <Your API Token>.
• In the Webhook Endpoint URL, paste the endpoint URL provided by Callgoose SQIBS.
• Ensure the endpoint URL follows the bearer token format.
• For more details, refer to Callgoose SQIBS API Documentation.
• Test and Save the Webhook
• Click on Test Connection to validate the setup.
• If the test is successful, click on Save.

3.2 Finalizing and Testing

• Validate the Integration:
• Trigger the alert condition manually if possible to verify that the correct JSON payload is sent to Callgoose SQIBS.

4. Configuring Callgoose SQIBS

4.1 Create API Filters in Callgoose SQIBS

To correctly map incidents from the StackHawk alerts, you need to create API filters based on the JSON payloads received.

4.1.1 Example JSON Payloads from StackHawk

Alert Triggered

json

{
  "service": "StackHawk",
  "scanCompleted": {
    "scan": {
      "id": "21a4f2da-740b-40d9-9557-696d8aca6a76",
      "hawkscanVersion": "4.4.0",
      "env": "Development",
      "status": "COMPLETED",
      "application": "Contosso",
      "startedTimestamp": "2021-05-18T00:26:41.892Z",
      "scanURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76",
      "tags": [
        {
          "name": "category",
          "value": "${CATEGORY_FROM_ENV:default}"
        }
      ]
    },
    "scanDuration": "1",
    "spiderDuration": "33",
    "completedScanStats": {
      "urlsCount": "5",
      "duration": "34",
      "scanResultsStats": {
        "totalCount": "3",
        "lowCount": "2",
        "mediumCount": "0",
        "highCount": "0",
        "lowTriagedCount": "0",
        "mediumTriagedCount": "1",
        "highTriagedCount": "0"
      }
    },
    "findings": [
      {
        "pluginId": "10106",
        "pluginName": "HTTP Only Site",
        "severity": "Medium",
        "host": "http://localhost:8080",
        "paths": [
          {
            "path": "/test",
            "method": "GET",
            "status": "FALSE_POSITIVE",
            "pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10106/path/61036/message/49"
          }
        ],
        "pathStats": [
          {
            "status": "FALSE_POSITIVE",
            "count": 1
          }
        ],
        "totalCount": "1",
        "category": "HTTP Data Stream Protection",
        "findingURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10106"
      },
      {
        "pluginId": "10021",
        "pluginName": "X-Content-Type-Options Header Missing",
        "severity": "Low",
        "host": "http://localhost:8080",
        "paths": [
          {
            "path": "",
            "method": "GET",
            "status": "NEW",
            "pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021/path/32294/message/8"
          },
          {
            "path": "/",
            "method": "GET",
            "status": "NEW",
            "pathURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021/path/31943/message/1"
          }
        ],
        "pathStats": [
          {
            "status": "NEW",
            "count": 2
          }
        ],
        "totalCount": "2",
        "category": "Information Leakage",
        "findingURL": "https://app.stackhawk.com/scans/21a4f2da-740b-40d9-9557-696d8aca6a76/finding/10021"
      }
    ]
  }
}

4.2 Configuring API Filters

4.2.1 Integration Templates

If you see an StackHawk integration template in the "Select Integration Template" dropdown in the API filter settings, you can use it to automatically add the necessary Trigger and Resolve filters along with other values. The values added by the template can be modified to customize the integration according to your requirements.

4.2.2 Manually Add/Edit the Filter

• Trigger Filter (For Creating Incidents):
• Payload JSON Key:"scanCompleted"."scan"."status"
• Key Value Contains: [COMPLETED]
• Map Incident With: null
• Incident Title From: "service"
• Incident Description From: Leave this empty unless you want to use a specific key-value from the JSON payload. If a key is entered, only the value for that key will be used as the Incident Description instead of the full JSON. By default, the Incident Description will include the full JSON values.
• Resolve Filter (For Resolving Incidents):
• Payload JSON Key: null
• Key Value Contains: null
• Incident Mapped With: null

Refer to the API Filter Instructions and FAQ for more details.

4.3 Finalizing Setup

• Save the API Filters:
• Ensure that the filters are correctly configured and saved in Callgoose SQIBS.
• Double-check that all key mappings, incident titles, and descriptions are correctly aligned with the payload structure sent by StackHawk.

5. Testing and Validation

5.1 Triggering Alerts

• Simulate a Monitoring Alert:
• Trigger a condition in StackHawk that causes an alert (e.g., Scan the Application).
• Verify that an incident is created in Callgoose SQIBS with the correct information.

6. Security Considerations

• API Security: Ensure that the Callgoose SQIBS API endpoint is correctly configured and that the API token is securely stored and used.
• StackHawk Permissions: Confirm that the webhook in StackHawk has appropriate permissions to send alerts and data to Callgoose SQIBS.

7. Troubleshooting

• No Incident Created: If no incident is created, verify that the webhook URL in StackHawk is correct and that the JSON payload structure matches the API filters configured in Callgoose SQIBS.
• Incident Not Resolved: Ensure that the resolve filter in Callgoose SQIBS is correctly configured and that the JSON payload sent by StackHawk matches the expected structure.

8. Conclusion

This guide provides a comprehensive overview of how to integrate StackHawk with Callgoose SQIBS for effective incident management. By following the steps outlined, you can ensure that alerts from StackHawk are automatically reflected as incidents in Callgoose SQIBS, with proper resolution tracking when the issues are resolved.

For further customization or advanced use cases, refer to the official documentation for both StackHawk and Callgoose SQIBS:

• StackHawk Documentation
• Callgoose SQIBS API Token Documentation
• Callgoose SQIBS API Endpoint Documentation
• API Filter Instructions and FAQ
• How to Send API

This documentation will guide you through the integration process, ensuring that your incidents are managed effectively within Callgoose SQIBS based on real-time alerts from StackHawk.