Document toolboxDocument toolbox

threatintel.socradar

Introduction

The tags beginning with threatintel.socradar identify events generated by SOCRadar.

Valid tags and data tables

The full tag must have 6 levels. The first two are fixed as threatintel.socradar. The third level identifies the product, the fourth indicates the type of events sent and the rest of them indicate the event subtypes. 

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

SOCRadar's Extended Threat Intelligence

threatintel.socradar.xti.audit_logs.1.json

threatintel.socradar.xti.audit_logs

threatintel.socradar.xti.incidents.1.json

threatintel.socradar.xti.incidents

threatintel.socradar.xti.threat_feed.1.json

threatintel.socradar.xti.threat_feed

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

threatintel.socradar.xti.audit_logs

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

inserted_by

str

 

insert_date_str

str

 

event_type

str

 

description

str

 

is_success

bool

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.socradar.xti.incidents

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

int8

 

insert_date_str

str

 

is_resolved

bool

 

resolved_by

str

 

resolved_date_str

str

 

alarm_risk_level

str

 

alarm_type_details__alarm_main_type

str

 

alarm_type_details__alarm_sub_type

str

 

alarm_type_details__alarm_group_name

str

 

alarm_type_details__alarm_generic_title

str

 

alarm_type_details__alarm_default_risk_level

str

 

alarm_related_assets

str

 

alarm_related_entities

str

 

update_date_str

str

 

last_notification_date_str

str

 

is_notified

bool

 

is_false_positive

bool

 

alarm_assets

str

 

alarm_mitigation

str

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.socradar.xti.threat_feed

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

feed

str

 

feed_type

str

 

first_seen_date_str

str

 

latest_seen_date_str

str

 

maintainer_name

str

 

collection_name

str

 

collection_date_str

str

 

collection_feed_type

str

 

at_devo_pulling_id

str

 

extra_info__geo_location__asn_code

int8

 

extra_info__geo_location__asn_name

str

 

extra_info__geo_location__cidr

str

 

extra_info__geo_location__city_name

str

 

extra_info__geo_location__country_code

str

 

extra_info__geo_location__country_name

str

 

extra_info__geo_location__ip

ip4

 

extra_info__geo_location__latitude

float8

 

extra_info__geo_location__longitude

float8

 

extra_info__geo_location__region_name

str

 

extra_info__geo_location__timezone

str

 

extra_info__geo_location__zip_code

str

 

extra_info__seen_count

int8

 

extra_info__apt_group_name

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

How is data sent to Devo?

Events generated by SOCRadar are forwarded to Devo using a dedicated collector.