Table of Contents | ||||
---|---|---|---|---|
|
Introduction
The tags beginning with threatintel.socradar
identify events generated by SOCRadar's Extended Threat Intelligence belonging to SOCRadar.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed asthreatintel.socradar
. The third level identifies the type of events sent , and the fourth level indicates the event subtypesubtypes.
...
Technology
...
Brand
...
Type
...
Subtype
...
threatintel
...
socradar
xti
...
audit_logs
incidents
threat_feed
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service |
---|
Tags | Data |
---|
tables | ||
---|---|---|
SOCRadar's Extended Threat Intelligence |
|
|
| |
|
|
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
threatintel.socradar.xti.audit_logs
threatintel.socradar.xti.incidents
threatintel.socradar.xti.threat_feed
threatintel.socradar.xti.audit_logs
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
inserted_by |
| |
insert_date_str |
| |
event_type |
| |
description |
| |
is_success |
| |
at_devo_pulling_id |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.socradar.xti.incidents
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
id |
| |
insert_date_str |
| |
is_resolved |
| |
resolved_by |
| |
resolved_date_str |
| |
alarm_risk_level |
| |
alarm_type_details__alarm_main_type |
| |
alarm_type_details__alarm_sub_type |
| |
alarm_type_details__alarm_group_name |
| |
alarm_type_details__alarm_generic_title |
| |
alarm_type_details__alarm_default_risk_level |
| |
alarm_related_assets |
| |
alarm_related_entities |
| |
update_date_str |
| |
last_notification_date_str |
| |
is_notified |
| |
is_false_positive |
| |
alarm_assets |
| |
alarm_mitigation |
| |
at_devo_pulling_id |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.socradar.xti.threat_feed
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
feed |
| |
feed_type |
| |
first_seen_date_str |
| |
latest_seen_date_str |
| |
maintainer_name |
| |
collection_name |
| |
collection_date_str |
| |
collection_feed_type |
| |
at_devo_pulling_id |
| |
extra_info__geo_location__asn_code |
| |
extra_info__geo_location__asn_name |
| |
extra_info__geo_location__cidr |
| |
extra_info__geo_location__city_name |
| |
extra_info__geo_location__country_code |
| |
extra_info__geo_location__country_name |
| |
extra_info__geo_location__ip |
| |
extra_info__geo_location__latitude |
| |
extra_info__geo_location__longitude |
| |
extra_info__geo_location__region_name |
| |
extra_info__geo_location__timezone |
| |
extra_info__geo_location__zip_code |
| |
extra_info__seen_count |
| |
extra_info__apt_group_name |
| |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
How is data sent to Devo?
Logs Events generated by Bandura SOCRadar are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.