Skip to main content

SOCRadar Incidents

This Integration is part of the SOCRadar Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR. This integration was integrated and tested with version 1.0 of SOCRadarIncidents.

Configure SOCRadarIncidents on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for SOCRadarIncidents.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    API KeyThe API Key to use for connection to SOCRadar.True
    Fetch incidentsEnable fetch incidents.False
    insecureTrust any certificate (not secure)False
    Use system proxy settingsWhether to use XSOAR’s system proxy settings to connect to the API.False
    First Fetch TimeDate or relative timestamp to start fetching incidents from.False
    Company IDCompany ID in SOCRadar to fetch incidents.True
    Severity LevelSelect severity level(s) of incidents to fetch. Leave blank to fetch all.False
    Maximum number of incidents to fetchMaximum number of incidents to fetch in each integration execution interval.False
    Resolution StatusFetch Incidents by resolution status (All, Resolved, Not Resolved)False
    FP StatusFetch Incidents by false positive status (All, FP, Not FP)False
    Incident Main TypeFetch incidents which belong to this particular main type.False
    Incident Sub TypeFetch incidents which belong to this particular sub type.False
  4. Click Test to validate API key and connection to SOCRadar.

How to obtain SOCRadar Incident API key?#

Every company has a unique API key in SOCRadar platform. This API key can be used to benefit from various API endpoints that SOCRadar provides.

You can obtain your company's API key from your company's settings page by navigating to the API Options tab. Besides, API key can be regenerated by using Actions button under the API keys panel.

api_key

For further information about the SOCRadar API keys please see SOCRadar API documentation.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

socradar-mark-incident-fp#


Marks incident as false positive in SOCRadar platform.

Base Command#

socradar-mark-incident-fp

Input#

Argument NameDescriptionRequired
socradar_incident_idSOCRadar Incident ID to be marked as false positive.Required
commentsComments about false positive action over the incident.Optional

Context Output#

There is no context output for this command.

Command Example#

!socradar-mark-incident-fp socradar_incident_id=29051453 comments="This incident is FP."

Human Readable Output#

SOCRadar API Response: False positive action has been successfully taken. Affected incident IDs: 29051453

socradar-mark-incident-resolved#


Marks incident as resolved in SOCRadar platform.

Base Command#

socradar-mark-incident-resolved

Input#

Argument NameDescriptionRequired
socradar_incident_idSOCRadar Incident ID to be marked as resolved.Required
commentsComments about resolved action over the incident.Optional

Context Output#

There is no context output for this command.

Command Example#

!socradar-mark-incident-resolved socradar_incident_id=29051453 comments="Incident has been resolved."

Human Readable Output#

SOCRadar API Response: Incident has been successfully resolved. Affected incident IDs: 29051453