SOCRadar Incidents
This Integration is part of the SOCRadar Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR. This integration was integrated and tested with v21.11 of SOCRadar.
Configure SOCRadarIncidents on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for SOCRadarIncidents.
Click Add instance to create and configure a new integration instance.
Parameter Description Required API Key The API Key to use for connection to SOCRadar. True Fetch incidents Enable fetch incidents. False insecure Trust any certificate (not secure) False Use system proxy settings Whether to use XSOAR’s system proxy settings to connect to the API. False First Fetch Time Date or relative timestamp to start fetching incidents from. False Company ID Company ID in SOCRadar to fetch incidents. True Severity Level Select severity level(s) of incidents to fetch. Leave blank to fetch all. False Maximum number of incidents to fetch Maximum number of incidents to fetch in each integration execution interval. False Resolution Status Fetch Incidents by resolution status (All, Resolved, Not Resolved) False FP Status Fetch Incidents by false positive status (All, FP, Not FP) False Incident Main Type Fetch incidents which belong to this particular main type. False Incident Sub Type Fetch incidents which belong to this particular sub type. False Click Test to validate API key and connection to SOCRadar.
How to obtain SOCRadar Incident API key?#
Every company has a unique API key in SOCRadar platform. This API key can be used to benefit from various API endpoints that SOCRadar provides.
You can obtain your company's API key from your company's settings page by navigating to the
API Options tab. Besides, API key can be regenerated by using Actions button under the API
keys panel.
For further information about the SOCRadar API keys please see SOCRadar API documentation.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
socradar-mark-incident-fp#
Marks incident as false positive in SOCRadar platform.
Base Command#
socradar-mark-incident-fp
Input#
| Argument Name | Description | Required |
|---|---|---|
| socradar_incident_id | SOCRadar Incident ID to be marked as false positive. | Required |
| comments | Comments about false positive action over the incident. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!socradar-mark-incident-fp socradar_incident_id=29051453 comments="This incident is FP."
Human Readable Output#
SOCRadar API Response: False positive action has been successfully taken. Affected incident IDs: 29051453
socradar-mark-incident-resolved#
Marks incident as resolved in SOCRadar platform.
Base Command#
socradar-mark-incident-resolved
Input#
| Argument Name | Description | Required |
|---|---|---|
| socradar_incident_id | SOCRadar Incident ID to be marked as resolved. | Required |
| comments | Comments about resolved action over the incident. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!socradar-mark-incident-resolved socradar_incident_id=29051453 comments="Incident has been resolved."
Human Readable Output#
SOCRadar API Response: Incident has been successfully resolved. Affected incident IDs: 29051453