threatintel.socradar
Introduction
The tags beginning with threatintel.socradar
identify events generated by SOCRadar.
Valid tags and data tables
The full tag must have 6 levels. The first two are fixed as threatintel.socradar
. The third level identifies the product, the fourth indicates the type of events sent and the rest of them indicate the event subtypes.Â
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
SOCRadar's Extended Threat Intelligence |
|
|
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
threatintel.socradar.xti.audit_logs
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
inserted_by |
| Â |
insert_date_str |
| Â |
event_type |
| Â |
description |
| Â |
is_success |
| Â |
at_devo_pulling_id |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.socradar.xti.incidents
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
insert_date_str |
| Â |
is_resolved |
| Â |
resolved_by |
| Â |
resolved_date_str |
| Â |
alarm_risk_level |
| Â |
alarm_type_details__alarm_main_type |
| Â |
alarm_type_details__alarm_sub_type |
| Â |
alarm_type_details__alarm_group_name |
| Â |
alarm_type_details__alarm_generic_title |
| Â |
alarm_type_details__alarm_default_risk_level |
| Â |
alarm_related_assets |
| Â |
alarm_related_entities |
| Â |
update_date_str |
| Â |
last_notification_date_str |
| Â |
is_notified |
| Â |
is_false_positive |
| Â |
alarm_assets |
| Â |
alarm_mitigation |
| Â |
at_devo_pulling_id |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.socradar.xti.threat_feed
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
feed |
| Â |
feed_type |
| Â |
first_seen_date_str |
| Â |
latest_seen_date_str |
| Â |
maintainer_name |
| Â |
collection_name |
| Â |
collection_date_str |
| Â |
collection_feed_type |
| Â |
at_devo_pulling_id |
| Â |
extra_info__geo_location__asn_code |
| Â |
extra_info__geo_location__asn_name |
| Â |
extra_info__geo_location__cidr |
| Â |
extra_info__geo_location__city_name |
| Â |
extra_info__geo_location__country_code |
| Â |
extra_info__geo_location__country_name |
| Â |
extra_info__geo_location__ip |
| Â |
extra_info__geo_location__latitude |
| Â |
extra_info__geo_location__longitude |
| Â |
extra_info__geo_location__region_name |
| Â |
extra_info__geo_location__timezone |
| Â |
extra_info__geo_location__zip_code |
| Â |
extra_info__seen_count |
| Â |
extra_info__apt_group_name |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
How is data sent to Devo?
Events generated by SOCRadar are forwarded to Devo using a dedicated collector.