SOCRadar Threat Analysis
LAST UPDATED: NOV 07, 2024
Overview
SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines external attack surface management (EASM), digital risk protection services (DRPS), and cyber threat intelligence (CTI). SOCRadar Threat Intelligence maximizes the efficiency of your SOC team with false-positive free, actionable, and contextualized threat intelligence. This integration enables organizations to search indicators of compromise (IOCs) and obtain enhanced information.
D3 SOAR is providing REST operations to function with SOCRadar Threat Analysis.
SOCRadar Threat Analysis is available for use in:
Known Limitations
API Rate Limit: Users can make a maximum of 6 API requests per minute.
Monthly Credit Limit: Each API key has a monthly limit of 1,500 requests.
See Threat Analysis API – SOCRadar Cyber Intelligence for the latest API limitations.
Connection
To connect to SOCRadar Threat Analysis from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL for the SOC Radar connection. | https://platform.socradar.com |
Threat Analysis API Key | Please obtain your SOCRadar threat analysis API key by contacting our Sales Team. | bdc2******hjQ1 |
Configuring SOCRadar Threat Analysis to Work with D3 SOAR
Login to the SOCRadar Threat Analysis platform at SOCRadar | Login.
Click on the support menu icon to open up a pop-up overlay.
Click on the Contact Sales option, then submit a request for an API key.
Configuring D3 SOAR to Work with SOCRadar Threat Analysis
Log in to D3 SOAR.
Find the SOCRadar Threat Analysis integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type SOC Radar Threat Analysis in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to SOCRadar Threat Analysis.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the checkbox to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL. The default value is https://platform.socradar.com.
2. Input the API Key obtained from contacting the SOCRadar Threat Analysis sales team. Refer to step 3 of Configuring SOCRadar Threat Analysis to Work with D3 SOAR.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
SOCRadar Threat Analysis includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the SOCRadar Threat Analysis API, refer to the SOCRadar Threat Analysis API reference.
IOC Search
Searches the specified IOC and obtains enhanced information and reputation.
Input
Input Parameter | Required/Optional | Description | Example |
IOC | Required | The IOC to be searched. Users may enter one of the following entities: domain name, IP address, or hash value. Threat analysis results for an entity are cached for 24 hours after the entity’s result is obtained by SOCRadar. If the same entity is queried within 24 hours using the same search parameters, SOCRadar will return the cached results. | ece5*****ca57 |
Advanced Investigation | Optional | Whether advanced investigation information about the analysis should be enabled. By default, the value is False. | True |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | IOC Search failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SOCRadar Threat Analysis portal. Refer to the HTTP Status Code Registry for details. | Status Code: 500. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Type of the provided entity can be either IPv4, IPv6, Domain or Hash. |
Error Sample Data IOC Search failed. Status Code: 500. Message: Type of the provided entity can be either IPv4, IPv6, Domain or Hash. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SOCRadar Threat Analysis portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Check your API key. |
Error Sample Data Test Connection failed. Status Code: 401. Message: Check your API key. |