SOCRadar Logs

Panther supports ingesting SOCRadar threat intelligence via webhook

Overview

Panther has the ability to ingest SOCRadar security incidents in real-time through HTTP webhooks. SOCRadar is an Extended Threat Intelligence platform that provides comprehensive visibility into cyber threats including Deep & Dark Web monitoring, digital risk protection, attack surface management, and threat intelligence.

How to onboard SOCRadar logs to Panther

Step 1: Create a new SOCRadar source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "SOCRadar," then click its tile.
In the upper-right corner, click Start Setup.
In the Basic Information sectionm, fill in the following fields:
- Name: Enter a descriptive name for the source.
- Schemas - Optional: Should be prepopulated with SOCRadar.Incidents.
Select your preferred authentication method.
- Basic: Enter Username and Password values.
  - Be sure to securely store your Password value. It will not be visible in the Panther Console.
- Bearer: Enter a Bearer Token. In the value you enter, do not include "Bearer."
  - Be sure to securely store your Bearer Token value. It will not be visible in the Panther Console.
Click Setup.
You will be directed to a verification screen. Leave this open while you configure SOCRadar in the next step.
- Take note of your HTTP Source URL. You will need these values in the next step.

Step 2: Configure webhook in SOCRadar

Instructions may vary based on your SOCRadar plan.

Log in to your SOCRadar platform.
Navigate to Settings > Integrations or Notifications.
Select the webhook or HTTP notification option.
Create a new webhook integration with the following details:
- Webhook URL: Paste the URL from Step 1.
- Authentication: Configure according to your chosen method (Basic or Bearer token).
- Event Types: Select the incident types you want to send to Panther.
Save the webhook configuration.
Test the webhook connection using SOCRadar's test feature, if available.

If you send a test event from SOCRadar using their built-in test feature, it will fail to classify in Panther. This is expected behavior, as SOCRadar sends test events that do not match the structure of normal SOCRadar incident events. Real incidents from SOCRadar will classify correctly.

Supported log types

SOCRadar.Incidents

SOCRadar security incidents provide visibility into various threats including dark web findings, credential intelligence, phishing detection, attack surface monitoring, and compliance tracking.

Reference: SOCRadar Incident Response Documentation

schema: SOCRadar.Incidents
description: |
    SOCRadar security incidents including dark web findings, credential intelligence,
    phishing detection, and threat alerts.
referenceURL: https://socradar.io/incident-response/
fields:
    - name: alarm_id
      required: true
      description: Unique identifier for the security incident or alarm
      type: string
    - name: alarm_asset
      description: Primary affected asset or entity name
      type: string
    - name: alarm_assignees
      description: List of users or teams assigned to this incident
      type: array
      element:
        type: string
    - name: alarm_related_assets
      description: Additional assets related to this incident
      type: array
      element:
        type: string
    - name: alarm_related_entities
      description: Related entities or IOCs associated with the incident
      type: array
      element:
        type: object
        fields:
          - name: key
            description: Entity type (e.g., domain, ip, email)
            type: string
          - name: value
            description: Entity value
            type: string
            indicators:
              - domain
              - ip
              - email
              - url
              - hostname
    - name: alarm_risk_level
      required: true
      description: Risk severity level of the incident
      type: string
    - name: alarm_text
      required: true
      description: Detailed description and context of the security incident
      type: string
    - name: alarm_response
      description: Recommended response actions and remediation steps
      type: string
    - name: alarm_type_details
      description: Detailed alarm classification and compliance information
      type: object
      fields:
        - name: alarm_compliance_list
          description: List of relevant compliance frameworks and controls
          type: array
          element:
            type: json
        - name: alarm_default_mitigation_plan
          description: Default mitigation steps for this alarm type
          type: string
        - name: alarm_default_risk_level
          description: Default risk level for this alarm category
          type: string
        - name: alarm_detection_and_analysis
          description: Detection methodology and analysis guidance
          type: string
        - name: alarm_generic_title
          description: Generic title/category of the alarm
          type: string
        - name: alarm_main_type
          description: Primary category of the incident
          type: string
        - name: alarm_sub_type
          description: Sub-category classification
          type: string
        - name: alarm_post_incident_analysis
          description: Post-incident analysis guidance
          type: string
    - name: approved_by
      description: User or system that approved the incident
      type: string
    - name: content
      description: Technical details varying by incident type
      type: object
      fields:
        - name: content_preview
          description: Preview or excerpt of the detected content
          type: string
        - name: source
          description: Source platform or system where content was found
          type: string
        - name: matched_asset
          description: Assets that matched detection criteria
          type: array
          element:
            type: string
        - name: compromised_domains
          description: Compromised or mentioned domain names
          type: string
          indicators:
            - domain
        - name: compromised_emails
          description: Compromised or exposed email addresses
          type: string
          indicators:
            - email
        - name: compromised_ips
          description: Compromised or malicious IP addresses
          type: string
          indicators:
            - ip
        - name: credential_details
          description: Details of compromised credentials
          type: array
          element:
            type: json
        - name: phishing_domain
          description: Detected phishing or impersonating domain
          type: string
          indicators:
            - domain
        - name: phishing_keyword
          description: Keyword used to detect the phishing domain
          type: string
        - name: content_link
          description: URL link to the source content
          type: string
          indicators:
            - url
        - name: dns_information
          description: DNS record information for the domain
          type: object
          fields:
            - name: a_record
              description: A record IP address
              type: string
              indicators:
                - ip
            - name: mx_record
              description: MX record value
              type: string
            - name: ns_record
              description: NS record value
              type: string
        - name: ip_address
          description: IP address associated with the incident
          type: string
          indicators:
            - ip
        - name: ssl_information
          description: SSL certificate information
          type: object
          fields:
            - name: not_after
              description: SSL certificate expiration date
              type: timestamp
            - name: not_before
              description: SSL certificate start date
              type: timestamp
        - name: website_information
          description: Website status and screenshot information
          type: object
          fields:
            - name: screenshot
              description: Screenshot URL of the website
              type: string
            - name: website_status
              description: Current status of the website (Active, Passive, etc.)
              type: string
        - name: whois_information
          description: WHOIS registration information
          type: object
          fields:
            - name: address
              description: Registrant address
              type: string
            - name: creation_date
              description: Domain creation date
              type: timestamp
            - name: expiration_date
              description: Domain expiration date
              type: timestamp
            - name: registrant
              description: Domain registrant name
              type: string
            - name: registrar
              description: Domain registrar
              type: string
        - name: malware_family
          description: Identified malware family
          type: string
        - name: username
          description: Username associated with the incident
          type: string
          indicators:
            - username
        - name: matched_query
          description: Search query that matched this content
          type: string
        - name: tags
          description: Tags associated with the content
          type: array
          element:
            type: string
    - name: date
      required: true
      description: Timestamp when the incident was created
      type: timestamp
      isEventTime: true
    - name: extra
      description: Additional metadata or custom fields
      type: array
      element:
        type: json
    - name: history
      description: Change history and audit trail for the incident
      type: array
      element:
        type: object
        fields:
          - name: action_taken_by
            description: User who performed the action
            type: string
          - name: action_type
            description: Type of action performed
            type: string
          - name: date
            description: Timestamp of the action
            type: timestamp
          - name: description
            description: Description of the action
            type: string
    - name: is_approved
      description: Whether the incident has been approved
      type: boolean
    - name: last_notification_date
      description: Timestamp of the last notification sent
      type: timestamp
    - name: notes
      description: Additional notes or comments on the incident
      type: array
      element:
        type: json
    - name: notification_id
      description: Associated notification identifier
      type: string
    - name: status
      required: true
      description: Current status of the incident (OPEN, CLOSED, ON_HOLD)
      type: string
    - name: tags
      description: Categorization tags for the incident
      type: array
      element:
        type: string

PreviousSnyk Logs NextSophos Logs

Last updated 5 hours ago

Was this helpful?

hashtagOverview

hashtagHow to onboard SOCRadar logs to Panther

hashtagStep 1: Create a new SOCRadar source in Panther

hashtagStep 2: Configure webhook in SOCRadar

hashtagSupported log types

hashtagSOCRadar.Incidents

Overview

How to onboard SOCRadar logs to Panther

Step 1: Create a new SOCRadar source in Panther

Step 2: Configure webhook in SOCRadar

Supported log types

SOCRadar.Incidents