Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ghostable.dev/llms.txt

Use this file to discover all available pages before exploring further.

Use these templates to normalize Ghostable audit webhook events in your SIEM.

Event Contract (input)

Ghostable sends JSON payloads with signed headers:
  • X-Ghostable-Timestamp
  • X-Ghostable-Signature
Validate signature first, then parse JSON. Common payload fields:
  • id (event id)
  • type (event type)
  • occurred_at (timestamp)
  • organization.id
  • actor.id / actor.email
  • target.project_id / target.environment_id
  • metadata (event-specific context)
Map payloads into a stable schema:
Normalized fieldSource
event.idid
event.actiontype
event.createdoccurred_at
organization.idorganization.id
user.idactor.id
user.emailactor.email
ghostable.project_idtarget.project_id
ghostable.environment_idtarget.environment_id
ghostable.force_overwritemetadata.force_overwrite
ghostable.conflictsmetadata.conflicts (if available)

Datadog Template

  1. Create an HTTP intake endpoint (or intermediary worker).
  2. Verify signature before forwarding to Datadog Logs intake.
  3. Add pipeline remappers:
    • type -> event.action
    • id -> event.id
    • organization.id -> organization.id
    • actor.email -> usr.email
  4. Create monitors:
    • high rate of push_force_overwrite
    • webhook delivery failures
    • repeated version conflicts
Example Datadog facets to enable:
  • event.action
  • organization.id
  • ghostable.environment_id
  • usr.email

Splunk Template

Use sourcetype=ghostable:audit and JSON extraction. Suggested field aliases:
  • event_id = id
  • event_type = type
  • org_id = organization.id
  • actor_email = actor.email
Example SPL alerts: 
index=security sourcetype=ghostable:audit type=push_force_overwrite
| stats count by organization.id, actor.email
| where count > 5

index=security sourcetype=ghostable:audit type=version_conflict
| timechart span=15m count by organization.id

Elastic Template

Map to ECS-compatible fields where possible:
  • id -> event.id
  • type -> event.action
  • occurred_at -> @timestamp
  • actor.email -> user.email
  • organization.id -> organization.id
Recommended ingest pipeline processors:
  1. json processor (if body wrapped as string)
  2. date processor for occurred_at
  3. rename processors for ECS fields
  4. set processor for event.dataset=ghostable.audit
Example KQL: 
event.dataset:"ghostable.audit" and event.action:"push_force_overwrite"

Operational Checks

  • Validate signatures and enforce timestamp drift checks before ingest.
  • Deduplicate by id to reduce replay noise.
  • Keep a dashboard for:
    • overwrite activity (push_force_overwrite)
    • conflict frequency (version_conflict)
    • webhook delivery reliability using Ghostable metrics endpoint.