Skip to main content

SOCRadar Incidents Multi-Tenant

This Integration is part of the SOCRadar Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

SOCRadar Incidents v4.0 Multi-Tenant#

Fetch and manage security incidents from multiple companies using SOCRadar's Multi-Tenant Incident API. Designed for MSPs, MSSPs, and organizations managing multiple subsidiaries.

Overview#

SOCRadar is a digital risk protection platform that provides extended threat intelligence and brand protection capabilities. This Multi-Tenant integration enables XSOAR to ingest security incidents from multiple companies through a single integration instance, including:

  • Brand Protection: Impersonating domains, phishing attacks, brand abuse
  • Cyber Threat Intelligence: Stolen credentials, data leaks, malware infections
  • Attack Surface Management: External exposure findings, misconfigurations
  • Dark Web Intelligence: Compromised credentials, leaked data from dark web sources
  • Supply Chain Security: Third-party risks and vendor security issues

Multi-Tenant Features#

Centralized Multi-Company Management#

  • Single Integration: Monitor incidents from all your companies through one integration instance
  • Company Tracking: Each alarm automatically includes company ID and company name
  • Smart Filtering: Filter and manage incidents across companies or focus on specific ones

Automatic Company ID Handling#

  • Auto-Extraction: When taking actions, company ID is automatically extracted from alarm data
  • No Manual Input: You don't need to remember or specify company IDs for most operations
  • Override Capability: Manually specify company ID when needed (advanced use cases)

Company Visibility Control#

  • Configurable Display: Choose whether to show company information in incident details
  • Custom Fields: Company ID and company name available in custom fields
  • Incident Naming: Company information included in incident names for quick identification

What's New in Multi-Tenant v4.0#

Multi-Tenant Specific#

  • Multi-Tenant API Endpoint: Uses /multi_tenant/{multi-tenant-id}/incidents for fetching
  • Company Information: Each alarm includes both company_id and company_name
  • Smart Action Handling: Automatically determines which company to act upon
  • Default Company Visibility: Company info shown by default (can be disabled)

Core Features (from v4.0)#

  • Multi-Status Filtering: Select multiple statuses (OPEN, CLOSED, ON_HOLD) simultaneously
  • Epoch Time Precision: Second-level accuracy for incident fetching - zero duplicates
  • Reverse Pagination: Fetches newest incidents first for better performance
  • Dynamic Content Extraction: Automatically extracts alarm-specific fields regardless of type
  • Enhanced Deduplication: Two-layer protection prevents duplicate incidents

Technical Improvements#

  • Interval-based fetching with overlap protection
  • Configurable content and entity inclusion
  • Comprehensive debug logging
  • Better error handling and recovery
  • Intelligent company ID extraction from incident context

Key Differences: Standard vs Multi-Tenant#

FeatureStandard v4.0Multi-Tenant v4.0
ConfigurationCompany ID + API KeyMulti-Tenant ID + API Key
Fetch Endpoint/company/{id}/incidents/v4/multi_tenant/{id}/incidents
Company DataSingle company (implicit)Multiple companies (explicit)
Company ID in ActionsUses configured company IDAuto-extracted from alarm
Company VisibilityOptional (default: hidden)Optional (default: visible)
Use CaseSingle organizationMSPs, MSSPs, multi-subsidiary

Prerequisites#

Required#

  • SOCRadar account with Multi-Tenant Incident API access
  • Multi-Tenant ID from SOCRadar platform
  • API Key from SOCRadar platform
  • XSOAR 6.x or later

API Access#

To obtain your API credentials:

  1. Log in to SOCRadar Platform
  2. Reach out support team to get MSSP API Key

Configuration#

Integration Settings#

ParameterRequiredDefaultDescription
Server URLYeshttps://platform.socradar.com/apiSOCRadar API base URL
API KeyYes-Your Multi-Tenant API Key from SOCRadar
Multi-Tenant IDYes-Your Multi-Tenant ID (integer)
Fetch incidentsNoFalseEnable automatic incident fetching
Incident typeNo-XSOAR incident type to create
Max incidents per fetchNo10000Maximum incidents per fetch cycle
First fetch timeNo3 daysInitial time range for first fetch
Fetch Interval (Minutes)No1Time window for subsequent fetches

Filtering Options#

ParameterTypeDescription
Status FilterMulti-selectSelect one or more: OPEN, CLOSED, ON_HOLD
SeverityMulti-selectFilter by: LOW, MEDIUM, HIGH, CRITICAL
Alarm Type IDsTextComma-separated list of type IDs to include
Excluded Alarm Type IDsTextComma-separated list of type IDs to exclude
Main Alarm TypesTextComma-separated main types (e.g., "Brand Protection")
Alarm Sub TypesTextComma-separated sub types

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

socradar-change-alarm-status#


Change the status of one or more alarms.

Base Command#

socradar-change-alarm-status

Input#

Argument NameDescriptionRequired
alarm_idsComma-separated list of alarm IDs to update.Required
status_reasonNew status reason for the alarms. Possible values are: OPEN, INVESTIGATING, RESOLVED, PENDING_INFO, LEGAL_REVIEW, VENDOR_ASSESSMENT, FALSE_POSITIVE, DUPLICATE, PROCESSED_INTERNALLY, MITIGATED, NOT_APPLICABLE.Required
commentsOptional comments explaining the status change.Optional
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.
SOCRadar.Alarm.StatusStringNew alarm status.

socradar-mark-false-positive#


Mark an alarm as false positive.

Base Command#

socradar-mark-false-positive

Input#

Argument NameDescriptionRequired
alarm_idAlarm ID to mark as false positive.Required
commentsOptional comments explaining why this is a false positive. Default is False positive.Optional
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.
SOCRadar.Alarm.StatusStringNew alarm status.

socradar-mark-resolved#


Mark an alarm as resolved.

Base Command#

socradar-mark-resolved

Input#

Argument NameDescriptionRequired
alarm_idAlarm ID to mark as resolved.Required
commentsOptional comments explaining the resolution. Default is Resolved.Optional
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.
SOCRadar.Alarm.StatusStringNew alarm status.

socradar-add-comment#


Add a comment to an alarm.

Base Command#

socradar-add-comment

Input#

Argument NameDescriptionRequired
alarm_idAlarm ID to add comment to.Required
user_emailEmail address of the user adding the comment.Required
commentComment text to add.Required
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.

socradar-add-assignee#


Add the assignee(s) of an alarm.

Base Command#

socradar-add-assignee

Input#

Argument NameDescriptionRequired
alarm_idAlarm ID to add assignee for.Required
user_emailsComma-separated list of user email addresses to assign.Required
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.
SOCRadar.Alarm.AssigneesStringNew assignees.

socradar-add-tag#


Add or remove a tag from an alarm.

Base Command#

socradar-add-tag

Input#

Argument NameDescriptionRequired
alarm_idAlarm ID to add/remove tag for.Required
tagTag name to add or remove.Required
company_idCompany ID for the alarm. If not provided, will be auto-fetched from alarm data. Can also use ${incident.socradarcompanyid} from incident fields.Optional

Context Output#

PathTypeDescription
SOCRadar.Alarm.IDStringAlarm ID.
SOCRadar.Alarm.TagsStringAlarm tags.

socradar-test-fetch#


Test incident fetching to verify alarms are available and date parsing works correctly.

Base Command#

socradar-test-fetch

Input#

Argument NameDescriptionRequired
limitNumber of incidents to test fetch (default 5). Default is 5.Optional
first_fetchTest date range (e.g., "3 days", "7 days"). Default is 3 days.Optional

Context Output#

PathTypeDescription
SOCRadar.TestFetch.TotalCountNumberTotal number of incidents found.
SOCRadar.TestFetch.SampleIncidentsUnknownSample incidents for testing.
SOCRadar.TestFetch.StartDateStringParsed start date used for the test.
SOCRadar.TestFetch.TotalRecordsNumberTotal number of incidents from service.
SOCRadar.TestFetch.TotalPagesNumberTotal number of pages of incidents from service.

License#

This integration is provided as part of the Cortex XSOAR content pack.