# StellarCyber Alerts

In this guide, you will learn how to configure StellarCyber to send specific alerts, including the full raw data to an external destination using a webhook with **rs\_token Token** authentication.

Having the full, raw alerts is paramount for your alert comprehension.

### Prerequisites

* [ ] Admin access level to StellarCyber

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings > Data Connectors** and click **+ Add Connector**.&#x20;
3. Search for and select the **Custom Alerts Webhook** option and then click **Data Feeds**.&#x20;
4. Click **Credentials**.&#x20;
5. Under **Credential** **Name**, give the credential an identifiable name (e.g. `StellarCyber - Credentials`).
6. Under **Required Credentials**, enter a **Connector** **tag** (e.g. `stellarcyber_webhook_connector`).
7. Click **Add Connector**.
8. On the newly created connector, click **View Details**. Under **Vendor** **Configuration**, copy the `Webhook URL` and `Token` value. You’ll need it for the **Configure** **alert** **actions** section of this guide.
9. Click **Add** **Connector** to save the changes.

### **Configure the webhook connector in StellarCyber**

Set up the connection between StellarCyber and Radiant Security.

1. Log in to StellarCyber.
2. Navigate to **System > Integrations > Connectors**.
3. Click **Create** and select **Connector**.
4. In the **General Tab**, configure the following:
   * **Category:** Webhook
   * **Type:** Custom
   * **Name:** Radiant\_Security\_Alert\_Ingestion
5. In the **Configuration Tab**, enter the Radiant Security connection details:
   * **Hostname:** Enter your Radiant Security destination URL that you copied from the previous section \[`RADIANT_WEBHOOK_URL`].
   * **Protocol:** HTTPS
   * **Port:** 443
   * **Authentication Type:** Select **Header**
   * **Header Name:** Authorization
   * **Header Value:** Enter the token that you copied from the previous section \[`YOUR_TOKEN`].
6. Click **Submit** to save your connector.

### **Configure the** Automated Threat Hunting (ATH) **playbook**

Now you'll create an ATH playbook that determines which alerts get sent to Radiant Security for AI-powered triage and investigation.

1. In StellarCyber, navigate to **Respond > Automation.**&#x20;
2. Click **Create**.
3. Under **Search Criteria**, specify which alerts you want Radiant Security to process:
   * **Indices:** Select **Alerts**
   * **Query:** Enter your filtering logic to determine which alerts will be sent to Radiant Security  (e.g.  `severity: "Critical" OR msg_class: "malware_detected"`).
4. In the **Action Section**, set up the webhook action:
   * Click **(+) Add Action**
   * **Type:** Select **Webhook Responder**
   * **Connector:** Choose **Radiant\_Security\_Alert\_Ingestion** (the connector you created earlier)
   * **JSON Body:** Copy and paste the [JSON Body template](#json-body-template) from the next section

### **JSON Body template**

Use this template in your playbook's **JSON Body** field. It captures all the essential alert information and includes the complete raw data for Radiant Security's AI to analyze:

```json
{
  "name": "{{_source.msg_class}}",
  "alert_id": "{{_id}}",
  "rule_name": "{{_source.eng_name}}",
  "timestamp": {{_source.timestamp}},
  "raw_alert": {{_source}}
}
```

#### JSON fields explained

* **timestamp**: Sends the timestamp as Unix Epoch in milliseconds (e.g., 1707168000000), which is Stellar Cyber's native format.
* **raw\_alert**: By using `{{_source}}` without quotes, the complete JSON object of the alert is included. This gives Radiant Security's AI access to all fields (IPs, usernames, process paths, etc.) to dynamically build triage logic and provide transparent reasoning and root cause analysis.

{% hint style="warning" %}
**Important note:** Make sure your raw alert includes a **detailed description of what the rule is detecting**. The more context you provide, the better Radiant Security's adaptive AI can triage the alert and correlate it across your data sources.
{% endhint %}

* **rule\_name**: This refers to the "Engine Name" that triggered the alert in Stellar Cyber.

### **Verify that the integration worked**

After you save your ETH playbook, verify that alerts are being delivered successfully to Radiant Security:

1. Navigate to **Respond > Actions > Webhook Actions**.
2. Check the **Response Code** column:
   * **200** or **201** means your alerts are being received by Radiant Security successfully.
   * **401** indicates an authentication issue. Verify that your **Bearer Token** in the Connector settings hasn't expired.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/stellarcyber-alerts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.