i would like to achieve, without rules on ESA , alerts need to be pushed to orchestrator
example:- all malicious url which is represented by SA , need automate to check URL reputation in rsa orchestrator
Can anyone help please
If you aren't using ESA for alerts, where are your alerts coming from? RE > Alerts?
If your ‘alerts' are queries or meta drills then use the integration from orchestrator to query for that drill and pul l those events into Orchestrator and check the URL against your references. I would doubt that using this as a means to perform ‘proxy' like reputation checking at scale is the best idea… probabaly better ways to do that. If your checking is for a limited numbers then you might be able to get away with it.
If you aren't using IM or Respond then you aren't going to ‘push' anything to Orchestrator. It will be a pull from Orchestrator based on a query criteria to potentially create an incident based on information you grab.
Retrieving data ...