Integration Runbooks
Use RootFetch as a verifiable structural layer inside existing SOC and analyst stacks.
These runbooks do not replace your current platform. They add immutable run evidence, compare links, and manifest-backed citations to existing workflows.
Common Compare Primitive
Generate compare links from immutable run IDs.
curl -sS "https://rootfetch.com/mcp" \
-X POST \
-H "content-type: application/json" \
-H "accept: application/json, text/event-stream" \
--data '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"rootfetch.compare_link","arguments":{"left":"<left_run_id>","right":"<right_run_id>"}}}'Splunk Runbook
Attach RootFetch run-pair evidence to existing detections and reports.
| makeresults | eval rootfetch_compare_url="https://rootfetch.com/compare?left=<left_run_id>&right=<right_run_id>" | eval rootfetch_run_left="<left_run_id>" | eval rootfetch_run_right="<right_run_id>" | table rootfetch_run_left rootfetch_run_right rootfetch_compare_url
Microsoft Sentinel Runbook
Use a small KQL helper block for analyst pivots and incident context.
let left_run = "<left_run_id>";
let right_run = "<right_run_id>";
print
rootfetch_left_run = left_run,
rootfetch_right_run = right_run,
rootfetch_compare = strcat("https://rootfetch.com/compare?left=", left_run, "&right=", right_run)SOAR Webhook Runbook
Send immutable run-pair evidence through existing webhook automations.
{
"source": "rootfetch",
"kind": "structural_compare",
"left_run_id": "<left_run_id>",
"right_run_id": "<right_run_id>",
"compare_url": "https://rootfetch.com/compare?left=<left_run_id>&right=<right_run_id>",
"evidence": {
"left_manifest": "https://rootfetch.com/rootfetch/artifacts/runs/<left_run_id>/manifest.json",
"right_manifest": "https://rootfetch.com/rootfetch/artifacts/runs/<right_run_id>/manifest.json"
}
}