Socradar incident V4
socradar is a threat intelligence platform that helps organizations detect, analyze, and respond to security threats socradar is a comprehensive threat intelligence platform that provides real time insights into security incidents and vulnerabilities the socradar incident v4 connector allows swimlane turbine users to automate the retrieval and management of security incidents and alarm statuses by integrating with socradar, users can efficiently fetch incidents with detailed compliance and response actions, and update alarm statuses seamlessly this integration enhances the capabilities of security teams by streamlining incident management and enabling proactive threat response within the swimlane turbine platform limitations company id must be supplied on each action; it is not configured on the asset retrieve incidents returns up to 100 records per page the api returns newest incidents on page 1; use reverse pagination when processing large result sets chronologically additional incident management endpoints (comments, assignees, tags, severity) are not included in this release supported versions this socradar connector uses the incident api v4 additional documents documentation socradar platform https //platform socradar com reference socradar incidents v4 on cortex xsoar https //xsoar pan dev/docs/reference/integrations/soc radar incidents v4 configuration prerequisites before you can use the socradar incident v4 connector for turbine, you'll need access to the socradar api this requires the following api key authentication using the following parameters url the endpoint url for accessing the socradar api api key a unique key provided by socradar to authenticate api requests authentication methods api key authentication for socradar using the following parameters url the endpoint url for accessing the socradar api api key a token used to authenticate api requests securely via the api key header verify ssl certificates optional setting to validate the server tls certificate http(s) proxy optional proxy url for outbound requests capabilities this socradar connector provides the following capabilities retrieve incidents update alarm status retrieve incidents fetch security incidents from socradar incident api v4 with details, compliance info, and response actions supports pagination, date filters, alarm/tag/assignee filters, and optional enrichment flags ( get /company/{company id}/incidents/v4 ) click here https //xsoar pan dev/docs/reference/integrations/soc radar incidents v4 update alarm status update the status of one or more alarms for a company required fields include alarm ids and status optional fields include comments , update related finding status , and email ( post /company/{company id}/alarms/status/change ) click here https //xsoar pan dev/docs/reference/integrations/soc radar incidents v4 configurations api key authentication authenticates using an api key passed in the api key header configuration parameters parameter description type required url socradar api base url string required api key company api key from socradar (settings → api & integrations → api options) string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions retrieve incidents fetch security incidents from socradar incident api v4 with compliance info and response actions supports pagination, date filters, alarm/notification/tag filters, and optional enrichment flags requires company id as a path parameter endpoint url company/{{company id}}/incidents/v4 method get input argument name type required description path parameters company id string required socradar company identifier (integer) parameters page integer optional page number for pagination parameters limit integer optional number of results per page (maximum 100) parameters start date string optional filter incidents on or after this date (epoch seconds or yyyy mm dd) parameters end date string optional filter incidents on or before this date (epoch seconds or yyyy mm dd) parameters status array optional filter by incident status parameters severities array optional filter by severity levels parameters alarm main types array optional filter by main alarm types (for example, brand protection) parameters alarm sub types array optional filter by alarm sub types (for example, impersonating domain) parameters alarm type ids array optional include only alarms matching these type ids parameters excluded alarm type ids array optional exclude alarms matching these type ids parameters excluded alarm main types array optional exclude alarms matching these main types parameters excluded alarm sub types array optional exclude alarms matching these sub types parameters tags array optional filter by alarm tags parameters assignees array optional filter by assignee email addresses parameters include total records boolean optional include total pages and total records in the response parameters include alarm details boolean optional include alarm type details in each incident parameters include ai decision boolean optional include ai decision details in the response when available parameters include rule details boolean optional include rule details in the response when available parameters include company id boolean optional include company id in each alarm record input example {"path parameters" {"company id" "string"},"parameters" {"page" 1,"limit" 20,"start date" "string","end date" "string","status" \["string"],"severities" \["string"],"alarm main types" \["string"],"alarm sub types" \["string"],"alarm type ids" \[],"excluded alarm type ids" \[],"excluded alarm main types" \["string"],"excluded alarm sub types" \["string"],"tags" \["string"],"assignees" \["string"],"include total records"\ true,"include alarm details"\ true,"include ai decision"\ true,"include rule details"\ true,"include company id"\ true}} output parameter type description status code integer http status code of the response is success boolean whether the operation was successful message string response message data object response data data alarms array response data data total pages integer response data data total records integer response data output example {"is success"\ true,"message" "string","data" {"alarms" \[],"total pages" 123,"total records" 123}} update alarm status update the status of socradar alarms for a company using v4 codes requires company id, alarm ids, and status, with optional comments, related finding updates, and action owner email endpoint url company/{{company id}}/alarms/status/change method post input argument name type required description path parameters company id string required socradar company identifier (integer) alarm ids array optional alarm ids to update status integer optional new alarm status code 0=open, 1=investigating, 2=resolved, 4=pending info, 5=legal review, 6=vendor assessment, 9=false positive, 10=duplicate, 11=processed internally, 12=mitigated, 13=not applicable comments string optional optional comments explaining the status change update related finding status boolean optional whether to update the status of related findings email string optional email of the action owner required when update related finding status is true input example {"path parameters" {"company id" "string"},"alarm ids" \["string"],"status" 123,"comments" "string","update related finding status"\ true,"email" "user\@example com"} output parameter type description status code integer http status code of the response is success boolean whether the operation was successful message string response message data object response data output example {"is success"\ true,"message" "string","data" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt