Skip to main content

SOCRadar Integration Guide

Overview

The SOCRadar integration connects NINA workflows to SOCRadar's Extended Threat Intelligence (XTI) platform across 8 resources and 34 operations:

Digital Risk Protection:

  • Incident — List, retrieve, comment on, and tag SOCRadar incidents/alarms
  • Takedown — Request domain, social media, and source code takedowns and track their progress
  • Brand Protection — Impersonating accounts/domains, rogue mobile apps, bad reputation, and social media findings
  • Dark Web — Botnet data, black market, suspicious content, PII exposure, and IM content monitoring
  • Fraud Protection — Phishing, scam, and payment fraud findings

Attack Surface & Audit:

  • Digital Footprint (ASM) — Discover assets, add new assets, mark false positives, and toggle monitoring
  • Audit Log — Retrieve user activity / audit log entries

Threat Intelligence:

  • Threat Intelligence — Score IPs/domains/hashes, enrich indicators, rapid reputation lookups, and threat feed collections

Authentication uses a single company API key plus a company ID. All resources share the same credential.

Rate limits: SOCRadar enforces a strict budget of 6 requests/minute and 1,500 requests/month per API key. Design workflows to be conservative — avoid tight polling loops and cache results where possible.


Credential Configuration

Authentication

FieldDescriptionDefault
API KeyYour SOCRadar company API key
Company IDYour SOCRadar company ID
Base URLAPI endpointhttps://platform.socradar.com/api

The API key is sent as the Api-Key header for most endpoints, and as the key query parameter for the threat analysis endpoints. The integration handles this automatically — you only supply the key once.

How to Get Your SOCRadar API Key

  1. Log in to the SOCRadar Platform
  2. Navigate to SettingsIntegration PageAPI Reference tab
  3. Copy your API Key and Company ID
  4. Confirm your subscription tier includes the modules your workflows require (Dark Web, ASM, Threat Intelligence, etc.)

Subscription notes:

  • Available endpoints depend on your SOCRadar subscription and enabled modules
  • Each company has a unique API key; the company ID scopes all platform/CTI requests to your tenant

Creating a Credential in NINA

  1. Navigate to CredentialsAdd New Credential
  2. Select integration service: SOCRadar
  3. Auth type: API Key
  4. Fill in your API Key and Company ID, and optionally override the Base URL
  5. Click Test Connection then Save

The connection test calls SOCRadar's lightweight /threat/analysis/check/auth endpoint to verify the key without consuming meaningful quota.


Supported Resources and Operations

Incident

SOCRadar incidents/alarms: list, retrieve, comment, and tag.

OperationNameHTTPDescription
listList IncidentsGET /company/{companyId}/incidents/v4List incidents/alarms for the company
getGet IncidentGET /company/{companyId}/incidents/v4Retrieve a single incident, filtered by id
addCommentAdd CommentPOST /company/{companyId}/alarm/add/comment/v2Add a comment to an incident/alarm
addTagAdd TagPOST /company/{companyId}/alarm/tagAdd a tag to an incident/alarm
removeTagRemove TagDELETE /company/{companyId}/alarm/tagRemove a tag from an incident/alarm

Key parameters:

  • id — incident/alarm ID (required for get)
  • alarm_id — incident/alarm ID (required for addComment, addTag, removeTag)
  • comment — comment text (addComment)
  • tag — tag value (addTag, removeTag)
  • page / limit / start_date / end_date — optional filters for list

Takedown

Create and track takedown requests.

OperationNameHTTPDescription
createDomainCreate Domain TakedownPOST /add/company/{companyId}/takedown/requestRequest a takedown for a malicious/phishing domain
createSocialMediaCreate Social Media TakedownPOST /add/company/{companyId}/takedown/request/social_media_risksRequest a takedown for a social media impersonation/risk
createSourceCodeCreate Source Code TakedownPOST /add/company/{companyId}/takedown/request/source_code_leaksRequest a takedown for leaked source code
getProgressGet Takedown ProgressGET /get/company/{companyId}/takedown/progressRetrieve the status/progress of takedown requests

Key parameters:

  • domain — target domain (createDomain)
  • url — offending URL (createSocialMedia, createSourceCode)
  • note — optional context for the request

Brand Protection

Impersonation, rogue apps, bad reputation, and social media findings.

OperationNameHTTPDescription
listList Brand Protection FindingsGET /company/{companyId}/brand-protectionList all brand protection findings
getDetailsGet Brand Protection DetailsGET /company/{companyId}/brand-protection/{recordId}Retrieve details for a specific record
impersonatingAccountsImpersonating AccountsGET /company/{companyId}/brand-protection/impersonating-accounts/v2List impersonating account findings
impersonatingDomainsImpersonating DomainsGET /company/{companyId}/brand-protection/impersonating-domains/v2List impersonating/look-alike domain findings
rogueMobileApplicationsRogue Mobile ApplicationsGET /company/{companyId}/brand-protection/rogue-mobile-applications/v2List rogue mobile application findings
badReputationBad ReputationGET /company/{companyId}/brand-protection/bad-reputation/v2List bad reputation findings
socialMediaFindingsSocial Media FindingsGET /company/{companyId}/brand-protection/social-media-findings/v2List social media findings

Key parameters:

  • recordId — record ID (required for getDetails, path parameter)
  • page / limit / start_date / end_date — optional filters

Dark Web

Dark web monitoring: botnet data, black market, suspicious content, PII exposure, and IM content.

OperationNameHTTPDescription
botnetDataBotnet DataGET /company/{companyId}/dark-web-monitoring/botnet-data/v2List botnet data findings
blackmarketBlack MarketGET /company/{companyId}/dark-web-monitoring/blackmarket/v2List black market findings
suspiciousContentSuspicious ContentGET /company/{companyId}/dark-web-monitoring/suspicious-content/v2List suspicious content findings
piiExposurePII ExposureGET /company/{companyId}/dark-web-monitoring/pii-exposure/v2List PII exposure / account leak findings
imContentIM ContentGET /company/{companyId}/dark-web-monitoring/im-content/v2List instant-messaging (IM) content findings

Key parameters:

  • page / limit / start_date / end_date — optional filters (filter by leak date range where supported)

Digital Footprint (ASM)

Attack surface management: assets, false-positive marking, and monitoring.

OperationNameHTTPDescription
getAssetsGet Digital AssetsGET /company/{companyId}/asmList discovered digital assets
addAssetAdd AssetPOST /company/{companyId}/asm/add/{asset_type}Add a new asset of the given type to the inventory
markFalsePositiveMark False PositivePOST /company/{companyId}/asm/fpMark an asset as a false positive
toggleMonitoringToggle MonitoringPOST /company/{companyId}/asm/monitorEnable or disable monitoring for an asset

Key parameters:

  • asset_type — asset type (required for addAsset, path parameter); enum: domain, ipAddress, website, cloudBuckets
  • value — the asset value (addAsset)
  • asset_id — target asset ID (markFalsePositive, toggleMonitoring)
  • monitor — boolean; whether to enable monitoring (toggleMonitoring)

Fraud Protection

Phishing, scams, and payment fraud findings.

OperationNameHTTPDescription
listList Fraud Protection FindingsGET /company/{companyId}/fraud-protection/v2List fraud protection findings

Key parameters:

  • page / limit / start_date / end_date — optional filters

Audit Log

User activity / audit logs.

OperationNameHTTPDescription
listList Audit LogsGET /company/{companyId}/auditlogsList user audit log entries

Key parameters:

  • page / limit / start_date / end_date — optional filters

Threat Intelligence

IP/domain/hash scoring, IoC enrichment, rapid reputation, and threat feeds. These endpoints sit outside the company tenant path; the integration handles their distinct authentication automatically.

OperationNameHTTPDescription
scoreIpScore IPGET /threat/analysisThreat score and analysis for an IP address
scoreDomainScore DomainGET /threat/analysisThreat score and analysis for a domain
scoreHashScore HashGET /threat/analysisThreat score and analysis for a file hash (MD5/SHA-1/SHA-256)
checkAuthCheck AuthGET /threat/analysis/check/authVerify the API key against the threat analysis endpoint
enrichIndicatorEnrich IndicatorPOST /ioc_enrichment/get/indicator_detailsEnrich an indicator with details, history, and relations
rapidReputationRapid ReputationGET /threatfeed/rapid/reputationRapid reputation verdict for an entity
getFeedListGet Threat FeedGET /threat/intelligence/feed_list/{collection_uuid}.{format}Fetch indicators from a threat intelligence feed collection

Key parameters:

  • entity — the value to analyze (required for scoreIp, scoreDomain, scoreHash)
  • indicator — the indicator value to enrich (enrichIndicator); type is auto-detected (IP, domain, URL, or hash)
  • fields — enrichment fields array (enrichIndicator); enum: indicator_details, indicator_history, indicator_relations, indicator_ai_insight
  • includeAiInsights — boolean; adds AI-generated insights to enrichment (enrichIndicator)
  • entity_value + entity_type — both required for rapidReputation; entity_type enum: ip, hostname, url, hash
  • collection_uuid — feed collection UUID (required for getFeedList, path parameter); format enum: json (default), csv, stix

Examples

Score an IP Address

{
"integration_service": "socradar",
"resource": "threatIntelligence",
"operation": "scoreIp",
"parameters": {
"entity": "8.8.8.8"
}
}

Enrich an Indicator with AI Insights

{
"integration_service": "socradar",
"resource": "threatIntelligence",
"operation": "enrichIndicator",
"parameters": {
"indicator": "malicious-domain.com",
"includeAiInsights": true
}
}

Rapid Reputation Lookup

{
"integration_service": "socradar",
"resource": "threatIntelligence",
"operation": "rapidReputation",
"parameters": {
"entity_value": "1.2.3.4",
"entity_type": "ip"
}
}

List Recent Incidents

{
"integration_service": "socradar",
"resource": "incident",
"operation": "list",
"parameters": {
"start_date": "2026-05-01",
"end_date": "2026-06-01",
"limit": 50
}
}

Comment on an Incident

{
"integration_service": "socradar",
"resource": "incident",
"operation": "addComment",
"parameters": {
"alarm_id": "123456",
"comment": "Triaged — confirmed phishing domain. Initiating takedown."
}
}

Request a Domain Takedown

{
"integration_service": "socradar",
"resource": "takedown",
"operation": "createDomain",
"parameters": {
"domain": "phishing-example.com",
"note": "Impersonating our brand login page"
}
}

List PII Exposure Findings

{
"integration_service": "socradar",
"resource": "darkWeb",
"operation": "piiExposure",
"parameters": {
"start_date": "2026-05-01",
"end_date": "2026-06-01"
}
}

Add an Asset to the Attack Surface

{
"integration_service": "socradar",
"resource": "digitalFootprint",
"operation": "addAsset",
"parameters": {
"asset_type": "domain",
"value": "new-subsidiary.com"
}
}

Fetch a Threat Feed Collection

{
"integration_service": "socradar",
"resource": "threatIntelligence",
"operation": "getFeedList",
"parameters": {
"collection_uuid": "00000000-0000-0000-0000-000000000000",
"format": "json"
}
}

Common Workflow Patterns

Indicator Enrichment Pipeline

  1. Extract an observable (IP/domain/hash) from an upstream node
  2. scoreIp / scoreDomain / scoreHash (threatIntelligence) — get a fast threat score
  3. enrichIndicator — pull detailed context, history, and relations for high-scoring indicators
  4. Branch the workflow on the verdict (alert, block, or ignore)

Incident Triage Workflow

  1. list (incident) — fetch recent incidents/alarms (scope with start_date / end_date)
  2. addComment — record triage notes on the alarm
  3. addTag — tag the alarm for routing/reporting
  4. createDomain (takedown) — initiate a takedown when the alarm is a confirmed phishing domain

Brand & Dark Web Monitoring

  1. impersonatingDomains / impersonatingAccounts (brandProtection) — pull look-alike findings
  2. piiExposure / blackmarket (darkWeb) — check for leaked credentials and data
  3. Forward findings to a ticketing or SIEM integration node
  4. getProgress (takedown) — track open takedown requests to closure

Attack Surface Management

  1. getAssets (digitalFootprint) — list discovered assets
  2. markFalsePositive — clean up incorrectly attributed assets
  3. addAsset — register newly acquired domains/IPs
  4. toggleMonitoring — enable monitoring on critical assets

Troubleshooting

IssueResolution
401 / 403 UnauthorizedAPI key invalid, or the module is not included in your subscription — verify the key and Company ID in Platform Settings
429 Too Many RequestsRate limit hit (6/min, 1,500/month) — add delays, reduce polling, and cache results
Empty resultsNo findings for the requested range; widen start_date / end_date or confirm the module is enabled
companyId is requiredCompany ID missing from the credential — add it under the credential configuration
Missing path parameter errorEnsure recordId (brand protection), asset_type (ASM add), or collection_uuid (threat feed) is supplied
entity is required on a score operationProvide the entity parameter (the IP, domain, or hash to analyze)
entity_type rejected on rapid reputationUse exact enum values: ip, hostname, url, hash
Threat feed returns unexpected formatSet format to json for structured output; csv/stix return raw payloads wrapped under data

Security Considerations

  1. Protect API Keys: Store the API key and Company ID exclusively through NINA credential management — never in workflow parameters or logs
  2. Sensitive Data: Dark web, PII exposure, and credential findings are highly sensitive — restrict workflow access accordingly
  3. Respect the Request Budget: The 1,500/month limit is shared across all workflows using the key — monitor usage to avoid exhausting it during incidents
  4. Credential Rotation: Rotate the API key periodically; revoke immediately if compromised
  5. Least Privilege: Scope workflows to the modules they actually need, in line with your SOCRadar subscription

Additional Resources

Updated: 2026-06-12