# SOCRadar Logs ## Overview Panther has the ability to ingest [SOCRadar](https://socradar.io/) security incidents in real-time through HTTP webhooks. SOCRadar is an Extended Threat Intelligence platform that provides comprehensive visibility into cyber threats including Deep & Dark Web monitoring, digital risk protection, attack surface management, and threat intelligence. ## How to onboard SOCRadar logs to Panther ### Step 1: Create a new SOCRadar source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New.** 3. Search for "SOCRadar," then click its tile. 4. In the upper-right corner, click **Start Setup**. 5. In the **Basic Information** sectionm, fill in the following fields: * **Name**: Enter a descriptive name for the source. * **Schemas - Optional**: Should be prepopulated with `SOCRadar.Incidents`. 6. Select your preferred authentication method. * **Basic**: Enter Username and Password values. * Be sure to securely store your Password value. It will not be visible in the Panther Console. * **Bearer**: Enter a Bearer Token. In the value you enter, do not include "Bearer." * Be sure to securely store your Bearer Token value. It will not be visible in the Panther Console. 7. Click **Setup**. 8. You will be directed to a verification screen. Leave this open while you configure SOCRadar in the next step. * Take note of your **HTTP Source URL**. You will need these values in the next step. ### Step 2: Configure webhook in SOCRadar {% hint style="info" %} Instructions may vary based on your SOCRadar plan. {% endhint %} 1. Log in to your [SOCRadar platform](https://platform.socradar.com/). 2. Navigate to **Settings** > **Integrations** or **Notifications**. 3. Select the webhook or HTTP notification option. 4. Create a new webhook integration with the following details: * **Webhook URL**: Paste the URL from Step 1. * **Authentication**: Configure according to your chosen method (Basic or Bearer token). * **Event Types**: Select the incident types you want to send to Panther. 5. Save the webhook configuration. 6. Test the webhook connection using SOCRadar's test feature, if available. {% hint style="warning" %} If you send a test event from SOCRadar using their built-in test feature, it will fail to classify in Panther. This is expected behavior, as SOCRadar sends test events that do not match the structure of normal SOCRadar incident events. Real incidents from SOCRadar will classify correctly. {% endhint %} ## Supported log types ### SOCRadar.Incidents SOCRadar security incidents provide visibility into various threats including dark web findings, credential intelligence, phishing detection, attack surface monitoring, and compliance tracking. Reference: [SOCRadar Incident Response Documentation](https://socradar.io/incident-response/) ```yaml schema: SOCRadar.Incidents description: | SOCRadar security incidents including dark web findings, credential intelligence, phishing detection, and threat alerts. referenceURL: https://socradar.io/incident-response/ fields: - name: alarm_id required: true description: Unique identifier for the security incident or alarm type: string - name: alarm_asset description: Primary affected asset or entity name type: string - name: alarm_assignees description: List of users or teams assigned to this incident type: array element: type: string - name: alarm_related_assets description: Additional assets related to this incident type: array element: type: string - name: alarm_related_entities description: Related entities or IOCs associated with the incident type: array element: type: object fields: - name: key description: Entity type (e.g., domain, ip, email) type: string - name: value description: Entity value type: string indicators: - domain - ip - email - url - hostname - name: alarm_risk_level required: true description: Risk severity level of the incident type: string - name: alarm_text required: true description: Detailed description and context of the security incident type: string - name: alarm_response description: Recommended response actions and remediation steps type: string - name: alarm_type_details description: Detailed alarm classification and compliance information type: object fields: - name: alarm_compliance_list description: List of relevant compliance frameworks and controls type: array element: type: json - name: alarm_default_mitigation_plan description: Default mitigation steps for this alarm type type: string - name: alarm_default_risk_level description: Default risk level for this alarm category type: string - name: alarm_detection_and_analysis description: Detection methodology and analysis guidance type: string - name: alarm_generic_title description: Generic title/category of the alarm type: string - name: alarm_main_type description: Primary category of the incident type: string - name: alarm_sub_type description: Sub-category classification type: string - name: alarm_post_incident_analysis description: Post-incident analysis guidance type: string - name: approved_by description: User or system that approved the incident type: string - name: content description: Technical details varying by incident type type: object fields: - name: content_preview description: Preview or excerpt of the detected content type: string - name: source description: Source platform or system where content was found type: string - name: matched_asset description: Assets that matched detection criteria type: array element: type: string - name: compromised_domains description: Compromised or mentioned domain names type: string indicators: - domain - name: compromised_emails description: Compromised or exposed email addresses type: string indicators: - email - name: compromised_ips description: Compromised or malicious IP addresses type: string indicators: - ip - name: credential_details description: Details of compromised credentials type: array element: type: json - name: phishing_domain description: Detected phishing or impersonating domain type: string indicators: - domain - name: phishing_keyword description: Keyword used to detect the phishing domain type: string - name: content_link description: URL link to the source content type: string indicators: - url - name: dns_information description: DNS record information for the domain type: object fields: - name: a_record description: A record IP address type: string indicators: - ip - name: mx_record description: MX record value type: string - name: ns_record description: NS record value type: string - name: ip_address description: IP address associated with the incident type: string indicators: - ip - name: ssl_information description: SSL certificate information type: object fields: - name: not_after description: SSL certificate expiration date type: timestamp - name: not_before description: SSL certificate start date type: timestamp - name: website_information description: Website status and screenshot information type: object fields: - name: screenshot description: Screenshot URL of the website type: string - name: website_status description: Current status of the website (Active, Passive, etc.) type: string - name: whois_information description: WHOIS registration information type: object fields: - name: address description: Registrant address type: string - name: creation_date description: Domain creation date type: timestamp - name: expiration_date description: Domain expiration date type: timestamp - name: registrant description: Domain registrant name type: string - name: registrar description: Domain registrar type: string - name: malware_family description: Identified malware family type: string - name: username description: Username associated with the incident type: string indicators: - username - name: matched_query description: Search query that matched this content type: string - name: tags description: Tags associated with the content type: array element: type: string - name: date required: true description: Timestamp when the incident was created type: timestamp isEventTime: true - name: extra description: Additional metadata or custom fields type: array element: type: json - name: history description: Change history and audit trail for the incident type: array element: type: object fields: - name: action_taken_by description: User who performed the action type: string - name: action_type description: Type of action performed type: string - name: date description: Timestamp of the action type: timestamp - name: description description: Description of the action type: string - name: is_approved description: Whether the incident has been approved type: boolean - name: last_notification_date description: Timestamp of the last notification sent type: timestamp - name: notes description: Additional notes or comments on the incident type: array element: type: json - name: notification_id description: Associated notification identifier type: string - name: status required: true description: Current status of the incident (OPEN, CLOSED, ON_HOLD) type: string - name: tags description: Categorization tags for the incident type: array element: type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/socradar.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.