Skip to main content
Use these templates to normalize Ghostable audit webhook events in your SIEM.

Event Contract (input)

Ghostable sends JSON payloads with signed headers:
  • X-Ghostable-Timestamp
  • X-Ghostable-Signature
Validate signature first, then parse JSON. Common payload fields:
  • id (event id)
  • type (event type)
  • occurred_at (timestamp)
  • organization.id
  • actor.id / actor.email
  • target.project_id / target.environment_id
  • metadata (event-specific context)
Map payloads into a stable schema:
Normalized fieldSource
event.idid
event.actiontype
event.createdoccurred_at
organization.idorganization.id
user.idactor.id
user.emailactor.email
ghostable.project_idtarget.project_id
ghostable.environment_idtarget.environment_id
ghostable.force_overwritemetadata.force_overwrite
ghostable.conflictsmetadata.conflicts (if available)

Datadog Template

  1. Create an HTTP intake endpoint (or intermediary worker).
  2. Verify signature before forwarding to Datadog Logs intake.
  3. Add pipeline remappers:
    • type -> event.action
    • id -> event.id
    • organization.id -> organization.id
    • actor.email -> usr.email
  4. Create monitors:
    • high rate of push_force_overwrite
    • webhook delivery failures
    • repeated version conflicts
Example Datadog facets to enable:
  • event.action
  • organization.id
  • ghostable.environment_id
  • usr.email

Splunk Template

Use sourcetype=ghostable:audit and JSON extraction. Suggested field aliases:
  • event_id = id
  • event_type = type
  • org_id = organization.id
  • actor_email = actor.email
Example SPL alerts: 
index=security sourcetype=ghostable:audit type=push_force_overwrite
| stats count by organization.id, actor.email
| where count > 5

index=security sourcetype=ghostable:audit type=version_conflict
| timechart span=15m count by organization.id

Elastic Template

Map to ECS-compatible fields where possible:
  • id -> event.id
  • type -> event.action
  • occurred_at -> @timestamp
  • actor.email -> user.email
  • organization.id -> organization.id
Recommended ingest pipeline processors:
  1. json processor (if body wrapped as string)
  2. date processor for occurred_at
  3. rename processors for ECS fields
  4. set processor for event.dataset=ghostable.audit
Example KQL: 
event.dataset:"ghostable.audit" and event.action:"push_force_overwrite"

Operational Checks

  • Validate signatures and enforce timestamp drift checks before ingest.
  • Deduplicate by id to reduce replay noise.
  • Keep a dashboard for:
    • overwrite activity (push_force_overwrite)
    • conflict frequency (version_conflict)
    • webhook delivery reliability using Ghostable metrics endpoint.