Details
Content
Dependencies
Version History

Streamline remediation of alerts and incidents with enhanced multi-tenant capabilities. Easily manage and automate security operations across multiple tenants, including for enrichment threat intelligence, reputation checking, and IoC feeds

SOCRadar Pack

SOCRadar is a cloud-based external threat intelligence and digital risk protection platform. The platform has the automated capability of monitoring and processing data collected from internet (surface, deep and dark web sources), then turning this data into security intelligence as incidents and threat intelligence feeds (domain, IP, hash) to improve the existing detection/protection appliances of the customers.

What does this pack do?

SOCRadar Incidents

This pack allows you to integrate SOCRadar incidents with XSOAR. Automated integration fetches and populates incidents into XSOAR from SOCRadar platform along with all the details of the incident and leads XSOAR analyst to take relevant actions over the incidents such as:

Marking the incident as false positive.
Resolve the incident.
Adding notes for the incident.

SOCRadar Incidents v4

Marking the incident as false positive.
Resolve the incident.
Adding notes for the incident.
Add assignee
Add comment
Change status with related findings

In short, you can perform the actions that an analyst would need to do on SOCRadar platform while responding an incident.

In addition to the incident management, this pack also provides integrations with SOCRadar's threat intelligence capabilities:

SOCRadar ThreatFusion

Enrich indicators by obtaining enhanced information and reputation via SOCRadar. Supported indicator types for the SOCRadar reputation query are as follow:

IPv4
IPv6
Domain
File SHA-1
File MD5

SOCRadar Rapid Reputation

Fast reputation checking for IPs, domains, URLs, and file hashes with bulk support:

Speed: Sub-second response times for rapid triage
Bulk Operations: Check up to 100 indicators at once with automatic rate limiting (1 req/sec)
Auto Detection: Automatically identifies indicator types (IP, domain, URL, hash)
DBot Integration: Full integration with XSOAR's scoring system
Whitelisting: Built-in support for whitelisted entities
Threat Sources: Aggregates data from multiple threat intelligence feeds

Commands:

!ip, !domain, !url, !file - Check reputation for specific indicator types
!socradar-reputation - Generic command with manual type specification
!socradar-bulk-check - Bulk check mixed list of indicators with auto-detection

Use Cases:

Fast incident triage and IOC screening
Bulk validation of threat intelligence feeds
Automated playbook integration for rapid reputation checks
Daily security monitoring

SOCRadar IoC Enrichment

Deep threat intelligence enrichment with comprehensive context:

Signal Strength: 5 levels (Very Strong, Strong, Moderate, Slightly Noisy, Noisy)
Confidence Levels: Cross-source validation (Very High, High, Medium, Low)
Activity Labels: Track indicator activity over 1/7/30/90 day periods
Categorization: 11 service categories (CDN, Cloud, Malware, ThreatActor, Tor, VPN, etc.)
Attribution: Threat actor associations and campaign tracking
Premium Feeds: Integration with SOCRadar premium threat feeds
Relations: Related entities (up to 10 relations per indicator)
Historical Data: Last 10 events with detailed feed information
Target Intelligence: Industries and countries targeted
AI Insights: Optional AI-generated threat analysis (disabled by default for performance)

Commands:

!ip, !domain, !url, !file - Enrich specific indicator types with full threat intelligence
!socradar-ioc-enrichment - Generic command with automatic type detection

Use Cases:

Deep investigation of suspicious indicators
Threat attribution and campaign analysis
Understanding attacker infrastructure and tactics
Incident context enrichment

SOCRadar Threat Feed

Collection-based IoC feed integration for automated indicator ingestion:

Collection Management: Use custom feed collections from SOCRadar platform via UUIDs
Multiple Collections: Support for multiple collection UUIDs simultaneously
Incremental Feed: Only fetches new or modified indicators
Auto Type Detection: Automatically identifies IP, domain, URL, and hash indicators
Geolocation Data: Full IP geolocation (ASN, CIDR, Country, City, Lat/Long, Timezone)
Feed Metadata: Maintainer information, confidence scores, first/last seen dates
TLP Support: Traffic Light Protocol color assignment
Custom Tags: Add custom tags to ingested indicators
Scheduled Fetch: Configurable fetch interval for automated ingestion

Commands:

!socradar-get-indicators - Manually retrieve indicators from collections
!socradar-reset-fetch-indicators - Reset fetch history

Configuration:

Log in to SOCRadar platform
Navigate to Threat Intelligence > Feeds section
Create custom collections or use existing ones
Copy collection UUID(s) from collection detail page
Enter UUID(s) in integration configuration
Configure fetch interval and limits
Set TLP color and custom tags

Use Cases:

Automated threat intelligence feed ingestion
Custom collection-based IOC management
Integration with XSOAR's indicator lifecycle
Scheduled threat intelligence updates

Prerequisites & Licensing

Depending on the integrations you intend to use, different licensing and activation steps apply:

1. Standard API Licensing

The following integrations are included with standard API licensing and require a standard SOCRadar API Key (obtainable from the SOCRadar platform via Settings → API Options / Keys):

SOCRadar Incidents
SOCRadar Incidents v4
SOCRadar Threat Feed

2. Advanced Intelligence API (Add-on or Standalone)

SOCRadar Rapid Reputation and SOCRadar IoC Enrichment operate using the Advanced Intelligence API, which is optimized for high-volume, deep context, and fast reputation queries.

Licensing Model: The features of these modules are licensed separately from the standard SOCRadar platform package. To use these integrations, your API key must be explicitly activated with "Rapid Reputation" and/or "IoC Enrichment" privileges.
Standalone Purchase: This service can be added to your existing SOCRadar subscription, or it can be purchased as a standalone key completely independent of a platform membership.
Purchase & Activation: For API authorization, pricing information, or to purchase a new standalone key, please contact our support team at support@socradar.io.

3. Multi-Tenant Usage

To use Multi-tenant Incident API, the Multi-tenant Incidents API must be enabled. You must contact the MSSP Enablement Team to activate this specific API for your account. To activate, please contact our support team at support@socradar.io.

Support

For Cortex XSOAR support, contact xsoar@socradar.io or visit https://socradar.io

Demo Video

SOCRadar Pack

What does this pack do?

SOCRadar Incidents

Marking the incident as false positive.
Resolve the incident.
Adding notes for the incident.

SOCRadar Incidents v4

Marking the incident as false positive.
Resolve the incident.
Adding notes for the incident.
Add assignee
Add comment
Change status with related findings

In short, you can perform the actions that an analyst would need to do on SOCRadar platform while responding an incident.

In addition to the incident management, this pack also provides integrations with SOCRadar's threat intelligence capabilities:

SOCRadar ThreatFusion

Enrich indicators by obtaining enhanced information and reputation via SOCRadar. Supported indicator types for the SOCRadar reputation query are as follow:

IPv4
IPv6
Domain
File SHA-1
File MD5

SOCRadar Rapid Reputation

Fast reputation checking for IPs, domains, URLs, and file hashes with bulk support:

Speed: Sub-second response times for rapid triage
Bulk Operations: Check up to 100 indicators at once with automatic rate limiting (1 req/sec)
Auto Detection: Automatically identifies indicator types (IP, domain, URL, hash)
DBot Integration: Full integration with XSOAR's scoring system
Whitelisting: Built-in support for whitelisted entities
Threat Sources: Aggregates data from multiple threat intelligence feeds

Commands:

!ip, !domain, !url, !file - Check reputation for specific indicator types
!socradar-reputation - Generic command with manual type specification
!socradar-bulk-check - Bulk check mixed list of indicators with auto-detection

Use Cases:

Fast incident triage and IOC screening
Bulk validation of threat intelligence feeds
Automated playbook integration for rapid reputation checks
Daily security monitoring

SOCRadar IoC Enrichment

Deep threat intelligence enrichment with comprehensive context:

Signal Strength: 5 levels (Very Strong, Strong, Moderate, Slightly Noisy, Noisy)
Confidence Levels: Cross-source validation (Very High, High, Medium, Low)
Activity Labels: Track indicator activity over 1/7/30/90 day periods
Categorization: 11 service categories (CDN, Cloud, Malware, ThreatActor, Tor, VPN, etc.)
Attribution: Threat actor associations and campaign tracking
Premium Feeds: Integration with SOCRadar premium threat feeds
Relations: Related entities (up to 10 relations per indicator)
Historical Data: Last 10 events with detailed feed information
Target Intelligence: Industries and countries targeted
AI Insights: Optional AI-generated threat analysis (disabled by default for performance)

Commands:

!ip, !domain, !url, !file - Enrich specific indicator types with full threat intelligence
!socradar-ioc-enrichment - Generic command with automatic type detection

Use Cases:

Deep investigation of suspicious indicators
Threat attribution and campaign analysis
Understanding attacker infrastructure and tactics
Incident context enrichment

SOCRadar Threat Feed

Collection-based IoC feed integration for automated indicator ingestion:

Collection Management: Use custom feed collections from SOCRadar platform via UUIDs
Multiple Collections: Support for multiple collection UUIDs simultaneously
Incremental Feed: Only fetches new or modified indicators
Auto Type Detection: Automatically identifies IP, domain, URL, and hash indicators
Geolocation Data: Full IP geolocation (ASN, CIDR, Country, City, Lat/Long, Timezone)
Feed Metadata: Maintainer information, confidence scores, first/last seen dates
TLP Support: Traffic Light Protocol color assignment
Custom Tags: Add custom tags to ingested indicators
Scheduled Fetch: Configurable fetch interval for automated ingestion

Commands:

!socradar-get-indicators - Manually retrieve indicators from collections
!socradar-reset-fetch-indicators - Reset fetch history

Configuration:

Log in to SOCRadar platform
Navigate to Threat Intelligence > Feeds section
Create custom collections or use existing ones
Copy collection UUID(s) from collection detail page
Enter UUID(s) in integration configuration
Configure fetch interval and limits
Set TLP color and custom tags

Use Cases:

Automated threat intelligence feed ingestion
Custom collection-based IOC management
Integration with XSOAR's indicator lifecycle
Scheduled threat intelligence updates

Prerequisites & Licensing

Depending on the integrations you intend to use, different licensing and activation steps apply:

1. Standard API Licensing

The following integrations are included with standard API licensing and require a standard SOCRadar API Key (obtainable from the SOCRadar platform via Settings → API Options / Keys):

SOCRadar Incidents
SOCRadar Incidents v4
SOCRadar Threat Feed

2. Advanced Intelligence API (Add-on or Standalone)

SOCRadar Rapid Reputation and SOCRadar IoC Enrichment operate using the Advanced Intelligence API, which is optimized for high-volume, deep context, and fast reputation queries.

Licensing Model: The features of these modules are licensed separately from the standard SOCRadar platform package. To use these integrations, your API key must be explicitly activated with "Rapid Reputation" and/or "IoC Enrichment" privileges.
Standalone Purchase: This service can be added to your existing SOCRadar subscription, or it can be purchased as a standalone key completely independent of a platform membership.
Purchase & Activation: For API authorization, pricing information, or to purchase a new standalone key, please contact our support team at support@socradar.io.

3. Multi-Tenant Usage

Support

For Cortex support, contact xsoar@socradar.io or visit https://socradar.io

Demo Video

Classifiers

Name	Description
SOCRadar Incident Classifier	Classifies SOCRadar incidents.
SOCRadar Incident Mapper	Maps SOCRadar incident fields.

Incident Fields

Name	Description
SOCRadar Related Entities
SOCRadar Incident ID
SOCRadar Incident Assets
SOCRadar Incident Content
SOCRadar Incident Main Type
SOCRadar Incident Sub Type
SOCRadar Mitigation
SOCRadar Related Assets

Incident Types

Name	Description
SOCRadar Generic

Integrations

Name	Description
SOCRadar Incidents (Partner Contribution)	Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex XSOAR.
SOCRadar Rapid Reputation (Partner Contribution)	Enrich indicators (IP, Domain, URL, Hash) by obtaining reputation information via SOCRadar Rapid Reputation API.
SOCRadar IoC Enrichment (Partner Contribution)	Enrich indicators with deep threat intelligence using SOCRadar IoC Enrichment API. Get categorization, signal strength, confidence levels, and historical data.
SOCRadar Incidents Multi-Tenant (Partner Contribution)	SOCRadar Multi-Tenant Incidents integration with advanced incident management, status reasons, and compliance tracking. Fetches security incidents from SOCRadar platform across all tenant companies with proper deduplication and date handling. Uses Multi-Tenant API for incident fetching and company-specific APIs for alarm management.
SOCRadar Threat Feed v2 (Partner Contribution)	Retrieve indicators provided by SOCRadar Collection Based IOC Feed using collection UUIDs. Users can create custom feed collections on the SOCRadar platform and use their UUIDs to fetch IOCs via this integration.
SOCRadar ThreatFusion (Partner Contribution)	Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar.
SOCRadar Incidents v4 (Partner Contribution)	SOCRadar Incidents v4 API integration with advanced incident management, status reasons, and compliance tracking. Fetches security incidents from SOCRadar platform with proper deduplication and date handling. Supports filtering by alarm type IDs for granular control.

Layouts

Name	Description
SOCRadar Incident

Playbooks

Name	Description
SOCRadar Incident	Performs indicator extraction and enrichment from the incident content, calculates the severity level, assigns the incident to a particular analyst, notifies SOCRadar platform for the incident response (to mark it as false positive or resolved) and generates investigation summary report just before closing the investigation in the end. This playbook is executed for the SOCRadar Generic incident type.

Name

Description

SOCRadar Incident

Performs indicator extraction and enrichment from the incident content, calculates the severity level, assigns the incident to a particular analyst, notifies SOCRadar platform for the incident response (to mark it as false positive or resolved) and generates investigation summary report just before closing the investigation in the end. This playbook is executed for the SOCRadar Generic incident type.

Classifiers

Name	Description
SOCRadar Incident Classifier	Classifies SOCRadar incidents.
SOCRadar Incident Mapper	Maps SOCRadar incident fields.

Incident Fields

Name	Description
SOCRadar Incident Assets
SOCRadar Incident Main Type
SOCRadar Related Assets
SOCRadar Incident Content
SOCRadar Mitigation
SOCRadar Incident Sub Type
SOCRadar Incident ID
SOCRadar Related Entities

Incident Types

Name	Description
SOCRadar Generic

Integrations

Name	Description
SOCRadar Incidents v4 (Partner Contribution)	SOCRadar Incidents v4 API integration with advanced incident management, status reasons, and compliance tracking. Fetches security incidents from SOCRadar platform with proper deduplication and date handling. Supports filtering by alarm type IDs for granular control.
SOCRadar Threat Feed v2 (Partner Contribution)	Retrieve indicators provided by SOCRadar Collection Based IOC Feed using collection UUIDs. Users can create custom feed collections on the SOCRadar platform and use their UUIDs to fetch IOCs via this integration.
SOCRadar ThreatFusion (Partner Contribution)	Enrich indicators by obtaining enhanced information and reputation via ThreatFusion of SOCRadar.
SOCRadar Incidents Multi-Tenant (Partner Contribution)	SOCRadar Multi-Tenant Incidents integration with advanced incident management, status reasons, and compliance tracking. Fetches security incidents from SOCRadar platform across all tenant companies with proper deduplication and date handling. Uses Multi-Tenant API for incident fetching and company-specific APIs for alarm management.
SOCRadar IoC Enrichment (Partner Contribution)	Enrich indicators with deep threat intelligence using SOCRadar IoC Enrichment API. Get categorization, signal strength, confidence levels, and historical data.
SOCRadar Rapid Reputation (Partner Contribution)	Enrich indicators (IP, Domain, URL, Hash) by obtaining reputation information via SOCRadar Rapid Reputation API.
SOCRadar Incidents (Partner Contribution)	Fetches SOCRadar incidents with desired parameters so that relevant actions over the incidents can be taken by using Cortex.

Playbooks

Name	Description
SOCRadar Alert	Performs indicator extraction and enrichment from the alert content, calculates the severity level, assigns the alert to a particular analyst, notifies SOCRadar platform for the alert response (to mark it as false positive or resolved) and generates investigation summary report just before closing the investigation in the end. This playbook is executed for the SOCRadar Generic alert type.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (8)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR

2.3.0 - 9183304 (May 20, 2026)

Integrations

SOCRadar Incidents

Updated the Docker image to: demisto/python3:3.12.13.9059085.

SOCRadar Incidents Multi-Tenant

Updated the Docker image to: demisto/python3:3.12.13.9059085.

SOCRadar Incidents v4

Fixed severity and status filter parameter names to match API specification (severity and status_list).
Updated the Docker image to: demisto/python3:3.12.13.9059085.

New: SOCRadar Threat Feed v2

New: Added a new integration- FeedSOCRadarThreatFeedV2 that Retrieve indicators provided by SOCRadar Collection Based IOC Feed using collection UUIDs. Users can create custom feed collections on the SOCRadar platform and use their UUIDs to fetch IOCs via this integration.
Collection-based IoC feed integration using collection UUIDs.
Fetch indicators from custom SOCRadar threat feed collections.
Support for multiple collection UUIDs with incremental feed capability.
Comprehensive indicator fields including geolocation data, scores, and maintainer information.
Added the following commands:
- socradar-get-indicators
- socradar-reset-fetch-indicators

SOCRadar ThreatFusion

Updated the Docker image to: demisto/python3:3.12.13.9059085.

New: SOCRadar Rapid Reputation

Fast reputation checking for IPs, domains, URLs, and file hashes.
Bulk check support (up to 100 indicators with automatic rate limiting at 1 req/sec).
Auto type detection with generic command.
Score-based classification (0-100 scale, rounded to 2 decimal places).

New: SOCRadar IoC Enrichment

Deep threat intelligence enrichment with signal strength and confidence levels.
Activity labels for different time periods (last 1/7/30/90 days).
Premium feeds integration with relations and historical data.
Optional AI-generated insights (disabled by default for performance).
Score formatting (2 decimal places for readability).

Related pull requests:
- 43732
- 44181

Download

2.2.3 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.2.2 - 7609529 (March 11, 2026)

Integrations

SOCRadar Incidents v4

Added support for the update_related_finding_status and email arguments in the socradar-change-alarm-status command.
Improved incident fetching logic for more robust date handling and deduplication.
Added support for the Show Content parameter for showing content details.

SOCRadar Incidents Multi-Tenant

Added support for the update_related_finding_status and email arguments in the socradar-change-alarm-status command.
Improved incident fetching logic for more robust date handling and deduplication.
Added support for the Show Content parameter for showing content details.

Related pull requests:
- 43459
- 43235

Download

2.2.1 - 7197348 (February 17, 2026)

Integrations

SOCRadar Incidents v4

Minor code quality improvements.

Related pull requests:
- 43165

Download

2.2.0 - 7140315 (February 13, 2026)

Integrations

New: SOCRadar Incidents Multi-Tenant

Enterprise security monitoring for MSPs and multi-tenant environments.
Fetches security incidents from multiple companies using multi-tenant API.
Centralized management of multiple companies from single integration.
Automatic company ID tracking and extraction.
Smart company ID handling for actions.
Configurable company information visibility.
All v4 features (multi-status filtering, epoch time precision, 9 management commands).
Automatic company ID extraction for seamless operations.

Related pull requests:
- 43036

Download

2.1.3 - 7101393 (February 10, 2026)

Integrations

SOCRadar ThreatFusion

Updated the "Risk Score (Out of 1000)" to "Risk Score (Out of 100)"

Related pull requests:
- 43015
- 42873

Download

2.1.2 - 7053385 (February 8, 2026)

Integrations

SOCRadar Incidents v4

Added the provider field to the SOCRadarIncidentsV4 integration.
Resolve the issues.
excluded_alarm_main_types and excluded_alarm_sub_types parameters added.
severity enum info added.
company_id is optional for alarm actions.
increased alarm history limit to eliminate duplicates.

Related pull requests:
- 42912
- 42831

Download

2.1.1 - 6862084 (January 25, 2026)

Integrations

SOCRadar Incidents v4

Added the provider field to the SOCRadarIncidentsV4 integration.

Related pull requests:
- 42786

Download

2.1.0 - 6823328 (January 21, 2026)

Integrations

SOCRadar Incidents

Updated integration configuration to organize parameters into Connect and Collect sections for better user experience.
Updated the Docker image to: demisto/python3:3.12.12.6796194.

SOCRadar Incidents v4

New Integration: SOCRadar Incidents v4.0
Fetch security incidents from SOCRadar's Incident API v4 with advanced filtering and enrichment capabilities.
Major Features:
Multi-status filtering (select multiple: OPEN, CLOSED, ON_HOLD)
Epoch time precision for zero duplicate incidents
Reverse pagination for better performance
Dynamic content extraction (adapts to different alarm types)
Configurable company ID visibility (single/multi-tenant support)
Enhanced deduplication with two-layer protection
9 management commands for full incident lifecycle
New Commands:
socradar-change-alarm-status: Change status with 11 status options
socradar-mark-false-positive: Quick false positive marking
socradar-mark-resolved: Quick resolution marking
socradar-add-comment: Add comments to alarms
socradar-change-assignee: Modify alarm assignments
socradar-add-tag: Add/remove tags
socradar-ask-analyst: Request SOCRadar analyst assistance
socradar-change-severity: Modify severity levels
socradar-test-fetch: Test fetch configuration
CustomFields:
Standard fields: alarm ID, status, asset, type, severity, tags
Dynamic content fields based on alarm type
Optional company ID and entity details
Technical Improvements:
Interval-based fetching with configurable overlap
Epoch timestamp support for precise filtering
Integer company ID with validation
Comprehensive debug logging
Better error handling and recovery
Supports up to 10,000 incidents per fetch

Related pull requests:
- 42729
- 42396

Download

2.0.18 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.17 - 4770511 (September 4, 2025)

Integrations

SOCRadar ThreatFusion

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SOCRadar Incidents

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

2.0.16 - R3474673 (May 20, 2025)

Integrations

SOCRadar ThreatFusion

Metadata and documentation improvements.

SOCRadar Incidents

Metadata and documentation improvements.

Related pull requests:
- 39009

Download

2.3.0 - 9183304 (May 20, 2026)

Integrations

SOCRadar Incidents

Updated the Docker image to: demisto/python3:3.12.13.9059085.

SOCRadar Incidents Multi-Tenant

Updated the Docker image to: demisto/python3:3.12.13.9059085.

SOCRadar Incidents v4

Fixed severity and status filter parameter names to match API specification (severity and status_list).
Updated the Docker image to: demisto/python3:3.12.13.9059085.

New: SOCRadar Threat Feed v2

New: Added a new integration- FeedSOCRadarThreatFeedV2 that Retrieve indicators provided by SOCRadar Collection Based IOC Feed using collection UUIDs. Users can create custom feed collections on the SOCRadar platform and use their UUIDs to fetch IOCs via this integration.
Collection-based IoC feed integration using collection UUIDs.
Fetch indicators from custom SOCRadar threat feed collections.
Support for multiple collection UUIDs with incremental feed capability.
Comprehensive indicator fields including geolocation data, scores, and maintainer information.
Added the following commands:
- socradar-get-indicators
- socradar-reset-fetch-indicators

SOCRadar ThreatFusion

Updated the Docker image to: demisto/python3:3.12.13.9059085.

New: SOCRadar Rapid Reputation

Fast reputation checking for IPs, domains, URLs, and file hashes.
Bulk check support (up to 100 indicators with automatic rate limiting at 1 req/sec).
Auto type detection with generic command.
Score-based classification (0-100 scale, rounded to 2 decimal places).

New: SOCRadar IoC Enrichment

Deep threat intelligence enrichment with signal strength and confidence levels.
Activity labels for different time periods (last 1/7/30/90 days).
Premium feeds integration with relations and historical data.
Optional AI-generated insights (disabled by default for performance).
Score formatting (2 decimal places for readability).

Related pull requests:
- 43732
- 44181

Download

2.2.3 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.2.2 - 7609529 (March 11, 2026)

Integrations

SOCRadar Incidents v4

Added support for the update_related_finding_status and email arguments in the socradar-change-alarm-status command.
Improved incident fetching logic for more robust date handling and deduplication.
Added support for the Show Content parameter for showing content details.

SOCRadar Incidents Multi-Tenant

Added support for the update_related_finding_status and email arguments in the socradar-change-alarm-status command.
Improved incident fetching logic for more robust date handling and deduplication.
Added support for the Show Content parameter for showing content details.

Related pull requests:
- 43459
- 43235

Download

2.2.1 - 7197348 (February 17, 2026)

Integrations

SOCRadar Incidents v4

Minor code quality improvements.

Related pull requests:
- 43165

Download

2.2.0 - 7140315 (February 13, 2026)

Integrations

New: SOCRadar Incidents Multi-Tenant

Enterprise security monitoring for MSPs and multi-tenant environments.
Fetches security incidents from multiple companies using multi-tenant API.
Centralized management of multiple companies from single integration.
Automatic company ID tracking and extraction.
Smart company ID handling for actions.
Configurable company information visibility.
All v4 features (multi-status filtering, epoch time precision, 9 management commands).
Automatic company ID extraction for seamless operations.

Related pull requests:
- 43036

Download

2.1.3 - 7101393 (February 10, 2026)

Integrations

SOCRadar ThreatFusion

Updated the "Risk Score (Out of 1000)" to "Risk Score (Out of 100)"

Related pull requests:
- 43015
- 42873

Download

2.1.2 - 7053385 (February 8, 2026)

Integrations

SOCRadar Incidents v4

Added the provider field to the SOCRadarIncidentsV4 integration.
Resolve the issues.
excluded_alarm_main_types and excluded_alarm_sub_types parameters added.
severity enum info added.
company_id is optional for alarm actions.
increased alarm history limit to eliminate duplicates.

Related pull requests:
- 42912
- 42831

Download

2.1.1 - 6862084 (January 25, 2026)

Integrations

SOCRadar Incidents v4

Added the provider field to the SOCRadarIncidentsV4 integration.

Related pull requests:
- 42786

Download

2.1.0 - 6823328 (January 21, 2026)

Integrations

SOCRadar Incidents

Updated integration configuration to organize parameters into Connect and Collect sections for better user experience.
Updated the Docker image to: demisto/python3:3.12.12.6796194.

SOCRadar Incidents v4

New Integration: SOCRadar Incidents v4.0
Fetch security incidents from SOCRadar's Incident API v4 with advanced filtering and enrichment capabilities.
Major Features:
Multi-status filtering (select multiple: OPEN, CLOSED, ON_HOLD)
Epoch time precision for zero duplicate incidents
Reverse pagination for better performance
Dynamic content extraction (adapts to different alarm types)
Configurable company ID visibility (single/multi-tenant support)
Enhanced deduplication with two-layer protection
9 management commands for full incident lifecycle
New Commands:
socradar-change-alarm-status: Change status with 11 status options
socradar-mark-false-positive: Quick false positive marking
socradar-mark-resolved: Quick resolution marking
socradar-add-comment: Add comments to alarms
socradar-change-assignee: Modify alarm assignments
socradar-add-tag: Add/remove tags
socradar-ask-analyst: Request SOCRadar analyst assistance
socradar-change-severity: Modify severity levels
socradar-test-fetch: Test fetch configuration
CustomFields:
Standard fields: alarm ID, status, asset, type, severity, tags
Dynamic content fields based on alarm type
Optional company ID and entity details
Technical Improvements:
Interval-based fetching with configurable overlap
Epoch timestamp support for precise filtering
Integer company ID with validation
Comprehensive debug logging
Better error handling and recovery
Supports up to 10,000 incidents per fetch

Related pull requests:
- 42729
- 42396

Download

2.0.18 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.17 - 4761438 (September 4, 2025)

Integrations

SOCRadar ThreatFusion

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SOCRadar Incidents

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

2.0.16 - R3474673 (May 20, 2025)

Integrations

SOCRadar ThreatFusion

Metadata and documentation improvements.

SOCRadar Incidents

Metadata and documentation improvements.

Related pull requests:
- 39009

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	August 6, 2021
Last Release	May 20, 2026

Threat Intelligence Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.