SOC Interfaces

this document lists the interface contracts available in the soc solutions bundle for general information about what interfaces are and how to use them, see docid\ sgosywgianmcsfqtqch n for complete data model field definitions, see docid\ i0yap22xufzu9tbegkare soc solutions bundle interfaces the soc solutions bundle includes 20 interfaces for security operations center workflows use these interfaces for alert triage, observable enrichment, email processing, and remediation actions alert to none v1 0 2 purpose processes an alert object without producing output use this interface for alert ingestion workflows where you process alerts without transforming them input schema field type required description alert object yes alert object alert alert categories array of strings no alert categories alert alert created timestamp string no when the alert was created alert alert description string no alert description alert alert end timestamp string no alert end time alert alert impacted hostnames array of strings no affected hostnames alert alert impacted ip addresses array of strings no affected ip addresses alert alert impacted usernames array of strings no affected usernames alert alert ingested timestamp string no when alert was ingested alert alert mitre attack tactic technique array of objects no mitre att\&ck mappings alert alert mitre attack tactic technique tactics array no tactic information alert alert mitre attack tactic technique technique object no technique details with name , uid alert alert mitre attack tactic technique technique name string no technique name alert alert mitre attack tactic technique technique uid string no technique uid alert alert mitre attack tactic technique version string no att\&ck version alert alert organization string no organization identifier alert alert originating files array of objects no files associated with alert alert alert originating files content object no file content (base64 or turbine attachment) alert alert originating files file hashes array no hash information alert alert originating files observables array no observable data alert alert permalink string no link to alert details alert alert provider string no alert source provider alert alert risk score integer no risk score alert alert rules array no rules that triggered the alert alert alert severity string no alert severity level alert alert start timestamp string no alert start time alert alert title string no alert title alert alert uid string no unique alert identifier alert observables array no observable entities alert raw alert object no raw alert data output schema empty object (no output) use cases alert ingestion pipelines alert logging and archival alert forwarding without transformation array of alerts to none v1 0 2 purpose processes an array of alerts without producing output use this interface for bulk alert processing input schema field type required description alerts array of alert objects yes array of alert objects to process output schema empty object (no output) use cases bulk alert ingestion alert batch processing alert archival workflows array of simple observable to none v1 0 2 purpose processes an array of simple observable objects without producing output input schema field type required description observables array of objects yes array of simple observable objects observables\[] observable type string yes type of observable observables\[] observable value string yes observable value output schema empty object (no output) use cases bulk observable ingestion observable logging observable forwarding simple observable to none v1 0 2 purpose processes a simple observable without producing output input schema field type required description observable object no observable object observable observable type string no type of observable observable observable value string no observable value output schema empty object (no output) use cases observable logging observable ingestion observable forwarding phishing email report to none v1 0 2 purpose processes phishing email report objects without producing output input schema field type required description phishing email report object no phishing email report data output schema empty object (no output) use cases phishing report ingestion phishing report logging phishing report archival alert triage ingestion to array of alert v1 0 2 purpose converts triage ingestion data into an array of standardized alert objects input schema triage ingestion format (specific structure) output schema field type required description alerts array of alert objects no array of standardized alert objects that match the alert schema use cases bulk alert ingestion alert normalization from multiple sources alert triage workflows simple observable to enrichment v1 0 2 purpose converts a simple observable into an enrichment object that includes threat intelligence data input schema field type required description observable object yes observable object observable observable metadata object no additional metadata observable observable type string yes type of observable (such as "ip", "domain", or "hash") observable observable value string yes the observable value output schema field type required description enrichment object no enrichment object enrichment enrichment context string no context information enrichment enrichment permalink string no link to enrichment details enrichment enrichment provider string no enrichment data provider name enrichment enrichment raw data string no raw enrichment data enrichment enrichment timestamp string no when enrichment was retrieved enrichment enrichment type string no type of enrichment (such as "location" or "reputation") enrichment enrichment verdict string no reputation verdict use cases threat intelligence enrichment observable reputation checking security context gathering simple observable to observable v1 0 2 purpose converts a simple observable into a full observable object with enrichment capabilities input schema field type required description observable object no observable object observable observable type string no type of observable observable observable value string no observable value observable observable metadata object no additional metadata output schema field type required description observable object no full observable object with enrichment fields use cases observable normalization observable enrichment preparation data structure standardization text to array of observables v1 0 2 purpose extracts observables from text content and returns them as an array input schema field type required description text value string yes text content to parse for observables output schema field type required description observables array of objects no array of extracted observables observables\[] observable type string no type of extracted observable observables\[] observable value string no the extracted value use cases email body parsing log file analysis text extraction from documents ioc extraction from reports object to alert v1 0 2 purpose converts a generic object into a standardized alert object input schema field type required description object object no generic object with alert related fields output schema field type required description alert object no standardized alert object matching alert schema use cases alert normalization from various sources custom alert format conversion alert standardization error to enrichment v1 0 2 purpose converts error information into an enrichment object for error tracking and analysis input schema field type required description error object no error information output schema field type required description enrichment object no enrichment object containing error context use cases error tracking error enrichment error analysis workflows email to email v1 0 2 purpose converts email objects while preserving the email structure used for email processing workflows input schema field type required description email object yes email object email email bcc addresses array of strings no bcc recipients email email body string no email body content email email cc addresses array of strings no cc recipients email email delivery timestamp string no delivery timestamp email email from address string no sender address email email headers array of objects no email headers email email headers\[] header key string no header name email email headers\[] header value string no header value email email html body string no html body content email email message id string no message id email email mime parts array of objects no mime parts email email mime parts\[] content object no content (base64 or turbine attachment) email email mime parts\[] file name string no file name email email mime parts\[] is attachment boolean no whether it is an attachment email email mime parts\[] mime type string no mime type email email organization string no organization identifier email email origination timestamp string no origination time email email reply to addresses array of strings no reply to addresses email email subject string no email subject email email text body string no plain text body email email to addresses array of strings no to recipients email observables array no observable entities extracted from email email raw email string no raw email content output schema field type required description email object no transformed email object with same structure use cases email processing workflows email transformation email forwarding email analysis turbine attachment to email v1 0 2 purpose converts a turbine attachment object into an email object format input schema field type required description turbine attachment object no turbine attachment object output schema field type required description email object no email object structure use cases attachment to email conversion email reconstruction from attachments email processing workflows file to file v1 0 2 purpose converts file objects while preserving file structure input schema field type required description file object no file object with file metadata and content output schema field type required description file object no transformed file object use cases file processing workflows file transformation file forwarding header to header v1 0 2 purpose converts header objects (email or http headers) input schema field type required description header object no header object output schema field type required description header object no transformed header object use cases header processing header transformation header analysis mime part to mime part v1 0 2 purpose converts mime part objects while preserving structure input schema field type required description mime part object no mime part object output schema field type required description mime part object no transformed mime part object use cases mime part processing email attachment handling content extraction phishing triage email ingestion to array of phishing email report v1 0 2 purpose converts phishing triage email ingestion data into an array of phishing email reports input schema phishing triage ingestion format output schema field type required description phishing email reports array of objects no array of phishing email report objects use cases bulk phishing email processing phishing triage workflows phishing report generation block/unblock observable remediation action purpose performs block or unblock actions on observables (such as ips and domains) in security systems input schema field type required description observable string yes the observable value to block or unblock observable type string yes type of observable (such as "ip" or "domain") action string yes action to perform ("block" or "unblock") output schema field type required description block message string no response message from the remediation action use cases ip address blocking/unblocking domain blocking threat containment workflows security control automation enable/disable user account remediation action purpose enables or disables user accounts in identity management systems input schema field type required description user account string yes the user account identifier to enable or disable action string yes action to perform ("enable" or "disable") output schema field type required description response message string no response message from the account action use cases account remediation incident response access control automation user account management isolate/rejoin hosts remediation action purpose isolates or rejoins hosts in network security systems input schema field type required description host string yes host identifier to isolate or rejoin action string yes action to perform ("isolate" or "rejoin") output schema field type required description response message string no response message from the remediation action use cases host isolation during incidents network containment incident response automation security control workflows