StellarCyber Alerts

In this guide, you will learn how to configure StellarCyber to send specific alerts, including the full raw data to an external destination using a webhook with rs_token Token authentication.

Having the full, raw alerts is paramount for your alert comprehension.

Prerequisites

• Admin access level to StellarCyber

Add the data connector in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

3. Search for and select the Custom Alerts Webhook option and then click Data Feeds.

4. Click Credentials.

5. Under Credential Name, give the credential an identifiable name (e.g. StellarCyber - Credentials).

6. Under Required Credentials, enter a Connector tag (e.g. stellarcyber_webhook_connector).

7. Click Add Connector.

8. On the newly created connector, click View Details. Under Vendor Configuration, copy the Webhook URL and Token value. You’ll need it for the Configure alert actions section of this guide.

9. Click Add Connector to save the changes.

Configure the webhook connector in StellarCyber

Set up the connection between StellarCyber and Radiant Security.

1. Log in to StellarCyber.

2. Navigate to System > Integrations > Connectors.

3. Click Create and select Connector.

4. In the General Tab, configure the following:

   • Category: Webhook

   • Type: Custom

   • Name: Radiant_Security_Alert_Ingestion

5. In the Configuration Tab, enter the Radiant Security connection details:

   • Hostname: Enter your Radiant Security destination URL that you copied from the previous section [RADIANT_WEBHOOK_URL].

   • Protocol: HTTPS

   • Port: 443

   • Authentication Type: Select Header

   • Header Name: Authorization

   • Header Value: Enter the token that you copied from the previous section [YOUR_TOKEN].

6. Click Submit to save your connector.

Configure the Automated Threat Hunting (ATH) playbook

Now you'll create an ATH playbook that determines which alerts get sent to Radiant Security for AI-powered triage and investigation.

1. In StellarCyber, navigate to Respond > Automation.

2. Click Create.

3. Under Search Criteria, specify which alerts you want Radiant Security to process:

   • Indices: Select Alerts

   • Query: Enter your filtering logic to determine which alerts will be sent to Radiant Security (e.g. severity: "Critical" OR msg_class: "malware_detected").

4. In the Action Section, set up the webhook action:

   • Click (+) Add Action

   • Type: Select Webhook Responder

   • Connector: Choose Radiant_Security_Alert_Ingestion (the connector you created earlier)

   • JSON Body: Copy and paste the JSON Body template from the next section

JSON Body template

Use this template in your playbook's JSON Body field. It captures all the essential alert information and includes the complete raw data for Radiant Security's AI to analyze:

JSON fields explained

• timestamp: Sends the timestamp as Unix Epoch in milliseconds (e.g., 1707168000000), which is Stellar Cyber's native format.

• raw_alert: By using {{_source}} without quotes, the complete JSON object of the alert is included. This gives Radiant Security's AI access to all fields (IPs, usernames, process paths, etc.) to dynamically build triage logic and provide transparent reasoning and root cause analysis.

• rule_name: This refers to the "Engine Name" that triggered the alert in Stellar Cyber.

Verify that the integration worked

After you save your ETH playbook, verify that alerts are being delivered successfully to Radiant Security:

1. Navigate to Respond > Actions > Webhook Actions.

2. Check the Response Code column:

   • 200 or 201 means your alerts are being received by Radiant Security successfully.

   • 401 indicates an authentication issue. Verify that your Bearer Token in the Connector settings hasn't expired.