Document toolboxDocument toolbox

SOCRadar collector

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Configuration

Details

API Key

You will need to create API Key to set up this collector.

CompanyID

You will need to have your company_id given by SOCRadar.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

SOCRadar is a cloud-based, AI-powered Digital Risk Protection Platform enhanced by cyber threat intelligence capabilities.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Allowed

Running environments

Collector server

On-premise

Populated Devo events

Table

Lookups

Flattening preprocessing

No

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Incidents

SOCRadar incidents

/company/{company_id}/incidents/v2

incidents

threatintel.socradar.xti.incidents.1.json

v1.0

Audit logs

SOCRadar audit events

/company/{company_id}/auditlogs

audit_logs

threatintel.socradar.xti.audit_logs.1.json

v1.0

Threat feeds

SOCRadar threat feed entries

/threat/intelligence/socradar_collections

threat_feed

Lookups:

socradar_threat_intelligence_urls

socradar_threat_intelligence_hashes

socradar_threat_intelligence_domains

socradar_threat_intelligence_ips

 

v1.0

 

For more information on how the events are parsed, visit our page

Flattening preprocessing

Data source

Collector service

Optional

Data source

Collector service

Optional

Incidents

incidents

No

Audit logs

audit_logs

No

Threat feeds

threat_feed

No

Vendor setup

There are some requirements to set up this collector, you will need to have an API key and create a Token. Follow the steps below:

  1. Log into the SOCRadar portal.

  2. Navigate to the API Options tab.

  3. Generate a new API Key using the Actions button under the API keys section.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

api_key

The API key from SOCRADAR.

company_id

The company identification gien by SOCRadar.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

api_key

company_id

Authentication method

api_key

company_id

api_key/company_id

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

API limitations

SOCRadar collector has some API limitations according to the contract.

This value should be introduced in the request_per_minute value described above.

If this limit is exceeded, a 429 error is returned by the SOCRadar API. In the event the collector encounters a 429 (that is, the requests hit a rate limit), the collector will attempt to gracefully respect the 429 rate limit and re-attempt the request three times before failing.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::SOCRadarPullerSetup(SOCRadar_collector,socradar#17812,audit_logs#predefined) -> Testing access to SOCRadar API for audit_logs INFO InputProcess::SOCRadarPullerSetup(SOCRadar_collector,socradar#17812,audit_logs#predefined) -> Access to SOCRadar is OK INFO InputProcess::SOCRadarPullerSetup(SOCRadar_collector,socradar#17812,audit_logs#predefined) -> Setup for module <SOCRadarPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Detected initial start time in UTC change: {'type_changes': {'root': {'old_type': <class 'pendulum.datetime.DateTime'>, 'new_type': <class 'NoneType'>, 'old_value': DateTime(2023, 1, 20, 0, 0, 0, tzinfo=Timezone('UTC')), 'new_value': None}}}. Setting last run time to 2023-01-20T00:00:00+00:00 INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,IP) -> [pre_pull] -> Creating a new lookup_job_factory to be used by the pull method INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,IP) -> Detected initial start time in UTC change: {'type_changes': {'root': {'old_type': <class 'pendulum.datetime.DateTime'>, 'new_type': <class 'NoneType'>, 'old_value': DateTime(2023, 1, 20, 0, 0, 0, tzinfo=Timezone('UTC')), 'new_value': None}}}. Setting last run time to 2023-01-20T00:00:00+00:00 INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Starting data collection every 60 seconds INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,IP) -> Starting data collection every 3600 seconds INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Domain) -> [pre_pull] -> Creating a new lookup_job_factory to be used by the pull method INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,URL) -> [pre_pull] -> Creating a new lookup_job_factory to be used by the pull method INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Domain) -> Detected initial start time in UTC change: {'type_changes': {'root': {'old_type': <class 'pendulum.datetime.DateTime'>, 'new_type': <class 'NoneType'>, 'old_value': DateTime(2023, 1, 20, 0, 0, 0, tzinfo=Timezone('UTC')), 'new_value': None}}}. Setting last run time to 2023-01-20T00:00:00+00:00 INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Retrieving audit_logs events since 2023-01-20T00:00:00+00:00 to 2023-01-25 12:05:14.444890+00:00 INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,URL) -> Detected initial start time in UTC change: {'type_changes': {'root': {'old_type': <class 'pendulum.datetime.DateTime'>, 'new_type': <class 'NoneType'>, 'old_value': DateTime(2023, 1, 20, 0, 0, 0, tzinfo=Timezone('UTC')), 'new_value': None}}}. Setting last run time to 2023-01-20T00:00:00+00:00 INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,IP) -> Retrieving threat_feed events INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Query range exceeds 1 day. Chunking into 6 query windows INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Hash) -> [pre_pull] -> Creating a new lookup_job_factory to be used by the pull method INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Domain) -> Starting data collection every 3600 seconds INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,IP) -> Retrieving IP indicators from SOCRadar INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,URL) -> Starting data collection every 3600 seconds INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Querying window 1 of 6 (2023-01-20T00:00:00+00:00 - 2023-01-20T23:59:59.999999+00:00) INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Hash) -> Detected initial start time in UTC change: {'type_changes': {'root': {'old_type': <class 'pendulum.datetime.DateTime'>, 'new_type': <class 'NoneType'>, 'old_value': DateTime(2023, 1, 20, 0, 0, 0, tzinfo=Timezone('UTC')), 'new_value': None}}}. Setting last run time to 2023-01-20T00:00:00+00:00 INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Domain) -> Retrieving threat_feed events INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,URL) -> Retrieving threat_feed events INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Domain) -> Retrieving Domain indicators from SOCRadar INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Hash) -> Starting data collection every 3600 seconds INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,URL) -> Retrieving URL indicators from SOCRadar INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Hash) -> Retrieving threat_feed events INFO InputProcess::SOCRadarThreatIntelligencePuller(socradar,17812,threat_feed,predefined,Hash) -> Retrieving Hash indicators from SOCRadar

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

INFO InputProcess::SOCRadarPuller(socradar,17812,audit_logs,predefined) -> Retrieving audit_logs events since 2023-01-25T13:05:14.546952+00:00 to 2023-01-25 13:06:14.547341+00:00

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the initial_start_time_in_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

 

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

SetupError

101

Error during auth check. Please doublecheck your credentials: [..]

SOCRadar reject the credentials.

Obtain new api_key from SOCRadar.

InitVariablesError

1

Error while fetching collector variables: [..]

One of required parameters is absent or a parameter has an incorrect type

Add the parameter or correct the type.

2

Error validating collector variables: [...]

One of the parameters has the correct type but it is not correct.

For instance, a date is not a valid date, or a number is out of its range.

Correct the parameter in the configuration file.

3

Error while creating client: [..]

Other error inizializing the collector.

Solution depends on specific error message.

Prepull Error

200

Error during pre_pull: [...]

Something was wrong creating the checkpoints

Review the initial_start_time_in_utc

Pull Error

300

Encountered pull error: [...]

Something was wrong contacting the API.

Read the HTTP error code as long as the response’s text. This information should be enough to understand why is the error happening.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.00 seconds to be delivered.