AI SOC Interfaces

this document lists the interface contracts available in the ai soc solution for general information about what interfaces are and how to use them, see docid\ sgosywgianmcsfqtqch n for complete data model field definitions, see docid 7efe4hvzv8uzngfkwhjtr ai soc interfaces the ai soc solution provides the following interfaces for building components and playbooks these interfaces use the extended turbine schema fields defined in docid 7efe4hvzv8uzngfkwhjtr alert to alert purpose converts alert objects while preserving all alert data use this interface for alert normalization, enrichment, and transformation workflows input schema full alert object (see docid 7efe4hvzv8uzngfkwhjtr ) output schema full alert object (same structure as input) use cases alert data normalization and transformation alert enrichment pipelines cross platform alert data exchange alert triage ingestion to array of alert purpose ingests alerts from alerting tools (siem, edr, av) using time based search parameters and returns an array of standardized alert objects input schema field type required description organization string optional the organization impacted by the alerts start time string optional how far back to search for alerts (for example, "4 hours ago," " 30 minutes") output schema field type required description alerts array of alert objects no array of standardized alert objects use cases scheduled alert ingestion from siem or xdr systems time based alert polling alert search params to array of alerts purpose searches for alerts using configurable parameters and returns an array of extended turbine schema alert objects with support for provider specific fields input schema field type required description alert search parameters object no search parameters object (structure varies by provider) output schema field type required description extended teds alerts array no array of extended alert objects extended teds alerts\[] teds alert object no full alert object extended teds alerts\[] extended fields object no additional provider specific fields not covered by turbine schema use cases search based alert ingestion from siem or xdr systems pulling alerts matching specific criteria (time range, severity, and similar filters) ingestion pipelines that need both standardized and provider specific data email search params to array of emails purpose searches for emails using configurable parameters and returns an array of extended turbine schema email objects with optional phishing report data input schema field type required description email search parameters object no search parameters object email search parameters filter string no filter expression for email search email search parameters max emails to return string no maximum number of emails to return output schema field type required description extended teds emails array no array of extended email objects extended teds emails\[] teds email object no full email object (including report description and reporter for phishing reports) extended teds emails\[] teds email report description string no description of the reported phishing incident extended teds emails\[] teds email reporter object no user who submitted the phishing report extended teds emails\[] teds email reporter user email address string no reporter email address extended teds emails\[] teds email reporter user id string no reporter user id extended teds emails\[] teds email reporter user name string no reporter username extended teds emails\[] extended fields object no additional provider specific fields not covered by turbine schema use cases search based phishing email ingestion pulling emails matching specific criteria from email security platforms phishing triage workflows that need both turbine schema standardized and provider specific data