How to Use SOCRadar Integrations?
SOCRadar provides integrations with product groups such as SIEM, SOAR, EDR, firewalls, Threat Intelligence Platforms, Vulnerability Management, Ticketing, and Team Meeting to better serve its customers. Thanks to these integrations, it helps you take action regarding the events in the cyber world and quickly manage the alarms generated about your company.
With the renewed structure of the Integrations page, it is effortless to access and edit the integrations on a single screen.
Read on to learn more about the products integrated with Extended Threat Intelligence (XTI) in 2021-2022.
Why SOCRadar Integrations Necessary?
According to the need-to-know principle, alarms about your digital assets that are being tracked by SOCRadar are instantly transmitted to your relevant teams (network, Fraud, AD Teams, Brand Violation, etc.) The threats to your digital assets, which are getting harder and harder to track, are detected early, and action is accelerated. Thus, it provides the opportunity to take proactive action against transactions, vulnerabilities, and threats that may damage the brand’s reputation due to delay.
If your customer, VIP, and employee account leaks happen, you will prevent possible processes that will damage the brand reputation and leak into the system without wasting time with the automated rules you set in your Active Directory, SOAR, etc.
In addition to SOCRadar’s recommended lists, you can feed your security solutions with 115+ IoC feeds (vulnerability scanners like Shodan, DDOS, Botnet C&C, APT groups, Log4j scanning IPs). In this way, you will ease the burden on your security teams and prevent possible attacks by cyber threat actors. You can create a robust security posture by feeding not only a single security solution but also your EDR, SIEM, FW, and SOAR products.
SOCRadar Threat Analysis API allows your Threat Hunting teams to make quick decisions by accessing SOCRadar’s big data, looking at scores for IP and hashes, IP’s ASN/GEO location, whitelist status, reputation, passive DNS, and domain information. In addition to providing the big data pool your Threat Hunting team needs with SOCRadar’s Extended Threat Intelligence approach, you can also provide data from Shodan and VirusTotal to respond to cyber incidents more quickly, effectively, and accurately.
Why SOCRadar Feeds Reliable?
All IoCs in ThreatFeed IoC feeds, and big data are passed through various validation processes (IP, hash, domain, SHA256, etc.) with 43+ million whitelist and whitelist policies to prevent false positives. You can also check the whitelist status of any IP, hash, or domain from ThreatHose.
Threat Feed IoC feeds are kept up-to-date on Endpoint API points daily, and outdated IoCs are removed from the lists weekly to prevent possible false positives. It is passed through over 43+ million whitelists and whitelist policies and validation processes. You can create multi-country filters on your feeds without creating country-based rules. You can also set the process of making your lists compatible with security products (SHA256, SHA1, MD5, Url, Hash, Domain, IP, IPv4, and IPv6) from the platform. You can create your own feed lists (each list has a maximum of 10 feeds) from the 115+ feeds offered on the platform, and you can update the feed list on the platform without the need for re-integration after providing the integration. SOCRadar’s recommended lists provide a daily supply of around 100,000 up-to-date IoCs.
You may be providing some of the 115+ feeds available on SOCRadar for free/paid from different feed sources. But is a preventive mechanism mentioned above presented to you for a possible false-positive situation? If your answer is no, you can also get the feeds you have integrated on the platform.
Which Product/Product Groups Integrate with SOCRadar?
1. SIEM Products:
In SIEM products, scripts that print SOCRadar alarms and Threat Feed IoCs to file are provided by the platform. In addition, token-based scripts are shared for QRadar Rest API and Splunk HTTP Event Collector API. QRadar and Splunk products automatically receive Threat Feed IoCs through the prepared code. Also, the application developed by SOCRadar for the presentation of alarms in Splunk is available in Splunkbase.
With SIEM Alarm integration, your SOC Team can manage alarms via SIEM and receive up-to-date IoCs daily with SIEM Threat Feed IoC integration. With the rules you will set for current IoCs, you can prepare your actions in IoC detection. You can provide logs of your user activities on SOCRadar with the SIEM Audit entry.
Products with completed integration: Splunk, QRadar, LogSign, ArcSight
Feeds delivered via integration: Incident, Threat Feed IOC, User Audit Logs
2. EDR Products
Threat Feed IoC integration is provided by creating a client for Crowdstrike via the Crowdstrike API.
For Wazuh and Cortex XDR, scripts that print SOCRadar alarms and Threat Feed IoCs to file are provided by the platform. In addition, automatic retrieval of Threat Feed IoCs is provided through token-based scripts for the Cortex XDR API.
For Carbon Black EDR, data of Threat Feed recommended lists under Carbon Black format are accessed via platform endpoint APIs.
With EDR, Threat Feed IoC integration, you can receive up-to-date IoCs daily, and you can take action to detect recent IoCs according to the features of your security product.
Products with completed integration: CrowdStrike, Wazuh, Carbon Black, Cortex XDR
Feeds delivered with integration: Threat Feed IOC
3. Firewall Products
With the Threat Feed IoC firewall integration, you can receive up-to-date IoCs daily, and you can take action to detect up-to-date IoCs according to the features of your security product.
Products with completed integration: Palo Alto FW, Fortinet Fortigate FW, Cisco Firepower FW, Checkpoint FW
Feeds delivered with integration: Threat Feed IOC
4. SOAR
With SOAR alarm integration, your SOC Team can manage alarms over SOAR. With the SOAR Threat Feed IoC integration, you can receive up-to-date IoCs daily, and you can prepare your actions in IoC detection with the rules you set. SOCRadar Threat Analysis integration allows your Threat Hunting teams to access SOCRadar’s big data and make quick decisions by looking at IP and hash scores, IP’s ASN/GEO location, whitelist status, reputation, passive DNS, and domain information. In addition to providing the big data pool needed by your Threat Hunting team with the Extended Threat Intelligence structure of SOCRadar, you can also provide data from Shodan and VirusTotal to respond to cyber incidents more effectively and accurately.
Products with completed integration: Cortex XSOAR Incident APP, Threat Feed APP
Feeds delivered with integration: Incident, Threat Feed IOC, Threat Analysis
5. Team Management
You can take your actions regarding the alarms transmitted by SOCRadar via Team Management Apps.
Products that have been integrated: Slack APP, Zoom APP (Approval)
Feeds delivered with integration: Incident
6. Work Management/Ticketing
You can take your actions regarding alarms transmitted by SOCRadar via Work Management/Ticketing Apps.
Products with completed integration: Jira, TheHive
Feeds delivered with integration: Incident
7. Vulnerability Management
Integration of vulnerabilities detected in SOCRadar’s passive and active (with your approval) scans are provided.
Products with completed integration: RiskSense
Feeds delivered by integration: Active (if you allow) and passive vulnerabilities detected by SOCRadar
For technical support regarding integrations, you can contact [email protected].
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.