Skip to main content
Skip table of contents

SOCRadar Threat Analysis

LAST UPDATED: NOV 07, 2024

Overview

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines external attack surface management (EASM), digital risk protection services (DRPS), and cyber threat intelligence (CTI). SOCRadar Threat Intelligence maximizes the efficiency of your SOC team with false-positive free, actionable, and contextualized threat intelligence. This integration enables organizations to search indicators of compromise (IOCs) and obtain enhanced information.

D3 SOAR is providing REST operations to function with SOCRadar Threat Analysis.

SOCRadar Threat Analysis is available for use in:

D3 SOAR

V16.8.206.1003

Category

Threat Intelligence

Deployment Options

Option II, Option IV

Known Limitations

API Rate Limit: Users can make a maximum of 6 API requests per minute.

Monthly Credit Limit: Each API key has a monthly limit of 1,500 requests.

See Threat Analysis API – SOCRadar Cyber Intelligence for the latest API limitations.

Connection

To connect to SOCRadar Threat Analysis from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL for the SOC Radar connection.

https://platform.socradar.com

Threat Analysis API Key

Please obtain your SOCRadar threat analysis API key by contacting our Sales Team.

bdc2******hjQ1

Configuring SOCRadar Threat Analysis to Work with D3 SOAR

  1. Login to the SOCRadar Threat Analysis platform at SOCRadar | Login.

  2. Click on the support menu icon to open up a pop-up overlay.

  3. Click on the Contact Sales option, then submit a request for an API key.

Configuring D3 SOAR to Work with SOCRadar Threat Analysis

  1. Log in to D3 SOAR.

  2. Find the SOCRadar Threat Analysis integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type SOC Radar Threat Analysis in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to SOCRadar Threat Analysis.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the checkbox to ensure the connection is available for use.

    8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input the Server URL. The default value is https://platform.socradar.com.
      2. Input the API Key obtained from contacting the SOCRadar Threat Analysis sales team. Refer to step 3 of Configuring SOCRadar Threat Analysis to Work with D3 SOAR.

    9. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

SOCRadar Threat Analysis includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the SOCRadar Threat Analysis API, refer to the SOCRadar Threat Analysis API reference.

IOC Search

Searches the specified IOC and obtains enhanced information and reputation.

Input

Input Parameter

Required/Optional

Description

Example

IOC

Required

The IOC to be searched. Users may enter one of the following entities: domain name, IP address, or hash value. Threat analysis results for an entity are cached for 24 hours after the entity’s result is obtained by SOCRadar. If the same entity is queried within 24 hours using the same search parameters, SOCRadar will return the cached results.

ece5*****ca57

Advanced Investigation

Optional

Whether advanced investigation information about the analysis should be enabled. By default, the value is False.

True

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "classification": "hash",
        "credit_details": {
            "max_daily_credit": 500,
            "max_monthly_credit": 500,
            "remaining_credit": 499,
            "remaining_daily_credit": 496,
            "remaining_monthly_credit": 496,
            "total_api_credit": 500
        },
        "findings": [
            {
                "extra_info": {
                    "last_seen_date": "2024-03-04 15:30:12",
                    "maintainer_name": "Maltiverse"
                },
                "reliability": 85,
                "scoring_channel": "threatfeed",
                "source_category": "Botnet & Malware>Botnet Malware",
                "source_name": "Maltiverse Hash List"
            }
        ],
        "is_advance_investigation": false,
        "is_blacklisted": false,
        "is_whitelisted": false,
        "remaining_credit": 499,
        "score": 52.75,
        "score_details": {
            "Botnet & Malware": 27.75,
            "Virus Total": 25
        },
        "value": "*****",
        "whitelist_hits": {},
        "whitelist_sources": []
    },
    "is_success": true,
    "message": "Requested entity: ***** has been successfully processed.",
    "response_code": 200
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "IOC": *****,
  "Advanced Investigation": True
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

data

{'classification': 'hash', 'credit_details': {'max_daily_credit': 500, 'max_monthly_credit': 500, 'remaining_credit': 499, 'remaining_daily_credit': 496, 'remaining_monthly_credit': 496, 'total_api_credit': 500}, 'findings': [{'extra_info': {'last_seen_date': '2024-03-04 15:30:12', 'maintainer_name': 'Maltiverse'}, 'reliability': 85, 'scoring_channel': 'threatfeed', 'source_category': 'Botnet & Malware>Botnet Malware', 'source_name': 'Maltiverse Hash List'}], 'is_advance_investigation': False, 'is_blacklisted': False, 'is_whitelisted': False, 'remaining_credit': 499, 'score': 52.75, 'score_details': {'Botnet & Malware': 27.75, 'Virus Total': 25}, 'value': '*****', 'whitelist_hits': {}, 'whitelist_sources': []}

is_success

True

message

Requested entity: ***** has been successfully processed.

response_code

200

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

IOC Search failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SOCRadar Threat Analysis portal. Refer to the HTTP Status Code Registry for details.

Status Code: 500.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Type of the provided entity can be either IPv4, IPv6, Domain or Hash.

Error Sample Data

IOC Search failed.

Status Code: 500.

Message: Type of the provided entity can be either IPv4, IPv6, Domain or Hash.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the SOCRadar Threat Analysis portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Check your API key.

Error Sample Data

Test Connection failed.

Status Code: 401.

Message: Check your API key.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.