diff --git a/Packs/SOCRadarTakedown/.pack-ignore b/Packs/SOCRadarTakedown/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/.secrets-ignore b/Packs/SOCRadarTakedown/.secrets-ignore new file mode 100644 index 000000000000..b31fc640c72f --- /dev/null +++ b/Packs/SOCRadarTakedown/.secrets-ignore @@ -0,0 +1 @@ +https://platform.socradar.com \ No newline at end of file diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..a91ef9f7fc49 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md @@ -0,0 +1,137 @@ +Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks + +## Configure SOCRadar Takedown in Cortex + +| **Parameter** | **Required** | +| --- | --- | +| API Key | True | +| Company ID | True | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | + +## Commands + +You can execute these commands from the CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. + +### socradar-submit-phishing-domain + +*** +Submits a takedown request for a phishing domain or URL + +#### Base Command + +`socradar-submit-phishing-domain` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| domain | The phishing domain or URL to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, confirmed_phishing. | Optional | +| type | Type of domain/URL (default is phishing_domain). Possible values are: phishing_domain, phishing_url. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | +| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | +| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | +| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | +| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | + +### socradar-submit-social-media-impersonation + +*** +Submits a takedown request for an impersonating social media account + +#### Base Command + +`socradar-submit-social-media-impersonation` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username of the impersonating account. | Required | +| full_name | Full name shown on the impersonating account. | Required | +| account_type | Type of social media platform. Possible values are: facebook, instagram, twitter, tiktok, linkedin, youtube, meta, other. | Required | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | +| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | + +### socradar-submit-source-code-leak + +*** +Submits a takedown request for leaked source code + +#### Base Command + +`socradar-submit-source-code-leak` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the source code leak to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | +| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | + +### socradar-submit-rogue-app + +*** +Submits a takedown request for a rogue mobile app + +#### Base Command + +`socradar-submit-rogue-app` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the rogue mobile app to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.AbuseType | string | Type of abuse reported | +| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | +| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.SendAlarm | boolean | Whether alarm notification is enabled | +| SOCRadarTakedown.RogueApp.Notes | string | Additional notes for the request | +| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py new file mode 100644 index 000000000000..3cdc73b64ed4 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -0,0 +1,400 @@ +import urllib3 +import re +from typing import Any + +# Import XSOAR common functions +from CommonServerPython import * + +# Disable insecure warnings +urllib3.disable_warnings() + +""" CONSTANTS """ + +SOCRADAR_API_ENDPOINT = "https://platform.socradar.com/api" +MESSAGES = { + "BAD_REQUEST_ERROR": "An error occurred while fetching the data.", + "AUTHORIZATION_ERROR": "Authorization Error: make sure API Key is correctly set.", + "RATE_LIMIT_EXCEED_ERROR": "Rate limit has been exceeded. Please make sure your API key's rate limit is adequate.", +} + +""" CLIENT CLASS """ + + +class Client: + """ + Client class to interact with the SOCRadar Takedown API + """ + + def __init__(self, base_url: str, api_key: str, company_id: str, verify: bool, proxy: bool): + self.base_url = base_url + self.api_key = api_key + self.company_id = company_id + self.headers = {"API-KEY": self.api_key} + self.verify = verify + self.proxy = proxy + + def check_auth(self) -> dict[str, Any]: + """Checks if the API key is valid""" + url = f"{self.base_url}/get/company/{self.company_id}/takedown/requests" + + try: + response = requests.get(url, headers=self.headers, verify=self.verify) + + if response.status_code == 401: + raise Exception("Authorization Error: Invalid API Key") + elif response.status_code == 429: + raise Exception("Rate limit exceeded") + elif response.status_code >= 500: + raise Exception(f"Server Error: {response.status_code}") + elif response.status_code >= 400: + raise Exception(f"API Error: {response.status_code}") + + return {"is_success": True} + + except requests.exceptions.RequestException as e: + raise Exception(f"Connection error: {str(e)}") + + def submit_phishing_domain_takedown( + self, domain: str, abuse_type: str, domain_type: str, notes: str = "", send_alarm: bool = True, email: str = "" + ) -> dict[str, Any]: + """Submit phishing domain takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": domain, + "type": domain_type, + "notes": notes, + "send_alarm": send_alarm, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_social_media_impersonation_takedown( + self, username: str, full_name: str, account_type: str, notes: str = "", send_alarm: bool = True, email: str = "" + ) -> dict[str, Any]: + """Submit social media impersonation takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/social_media_risks" + data = { + "impersonating_account": {"username": username, "full_name": full_name, "account_type": account_type}, + "notes": notes, + "send_alarm": send_alarm, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_source_code_leak_takedown(self, leak_id: int, notes: str = "", email: str = "") -> dict[str, Any]: + """Submit source code leak takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/source_code_leaks" + data = { + "id": leak_id, + "notes": notes, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + def submit_rogue_app_takedown(self, app_id: int, notes: str = "", email: str = "") -> dict[str, Any]: + """Submit rogue mobile app takedown request""" + url = f"{self.base_url}/add/company/{self.company_id}/takedown/request/rogue_mobile_apps" + data = { + "id": app_id, + "notes": notes, + "email": email, + } + + response = requests.post(url, json=data, headers=self.headers, verify=self.verify) + + if response.status_code >= 400: + raise Exception(f"API Error: {response.status_code} - {response.text}") + + return response.json() + + +""" HELPER FUNCTIONS """ + + +class Validator: + @staticmethod + def validate_domain(domain_to_validate: str) -> bool: + if not isinstance(domain_to_validate, str) or len(domain_to_validate) > 255: + return False + if domain_to_validate.endswith("."): + domain_to_validate = domain_to_validate[:-1] + domain_regex = re.compile(r"(?!-)[A-Z\d-]{1,63}(? bool: + """Basic URL validation""" + url_pattern = re.compile( + r"^https?://" # http:// or https:// + r"(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|" # domain... + r"localhost|" # localhost... + r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" # ...or ip + r"(?::\d+)?" # optional port + r"(?:/?|[/?]\S+)$", + re.IGNORECASE, + ) + return url_pattern.match(url) is not None + + @staticmethod + def raise_if_url_not_valid(url: str): + if not Validator.validate_url(url): + raise ValueError(f'URL "{url}" is not a valid URL') + + +def get_client_from_params() -> Client: + """Initialize client from demisto params""" + params = demisto.params() + api_key = params.get("credentials", {}).get("password", "").strip() + company_id = params.get("credentials", {}).get("identifier", "").strip() + verify_certificate = not params.get("insecure", False) + proxy = params.get("proxy", False) + + if not api_key: + raise ValueError("API Key is required") + if not company_id: + raise ValueError("Company ID is required") + + return Client(base_url=SOCRADAR_API_ENDPOINT, api_key=api_key, company_id=company_id, verify=verify_certificate, proxy=proxy) + + +""" COMMAND FUNCTIONS """ + + +def test_module(client: Client) -> str: + """Tests API connectivity and authentication""" + try: + client.check_auth() + return "ok" + except Exception as e: + return f"Test failed: {str(e)}" + + +def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for a phishing domain or URL""" + args = demisto.args() + domain = args.get("domain", "") + abuse_type = args.get("abuse_type", "potential_phishing") + domain_type = args.get("type", "phishing_domain") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Validate based on type + if domain_type == "phishing_url": + Validator.raise_if_url_not_valid(domain) + else: # phishing_domain + Validator.raise_if_domain_not_valid(domain) + + # Submit request + raw_response = client.submit_phishing_domain_takedown( + domain=domain, abuse_type=abuse_type, domain_type=domain_type, notes=notes, send_alarm=send_alarm, email=email + ) + + # Prepare output + readable_output = "### Phishing Domain Takedown Request\n" + readable_output += f"**Domain**: {domain}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "Domain": domain, + "AbuseType": abuse_type, + "Status": "Success" if raw_response.get("is_success", False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes, + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.PhishingDomain", + outputs_key_field="Domain", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def submit_social_media_impersonation_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for social media impersonation""" + args = demisto.args() + username = args.get("username", "") + full_name = args.get("full_name", "") + account_type = args.get("account_type", "") + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Submit request + raw_response = client.submit_social_media_impersonation_takedown( + username=username, + full_name=full_name, + account_type=account_type, + notes=notes, + send_alarm=send_alarm, + email=email, + ) + + # Prepare output + readable_output = "### Social Media Impersonation Takedown Request\n" + readable_output += f"**Username**: {username}\n" + readable_output += f"**Full Name**: {full_name}\n" + readable_output += f"**Account Type**: {account_type}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "Username": username, + "FullName": full_name, + "AccountType": account_type, + "AbuseType": "impersonating_accounts", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes, + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.SocialMediaImpersonation", + outputs_key_field="Username", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for leaked source code""" + args = demisto.args() + leak_id = int(args.get("id", "0")) + notes = args.get("notes", "") + email = args.get("email", "") + + # Submit request + raw_response = client.submit_source_code_leak_takedown(leak_id=leak_id, notes=notes, email=email) + + # Prepare output + readable_output = "### Source Code Leak Takedown Request\n" + readable_output += f"**Leak ID**: {leak_id}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "LeakID": leak_id, + "AbuseType": "source_code_leak", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", + "Message": raw_response.get("message", ""), + "Notes": notes, + "Email": email, + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.SourceCodeLeak", + outputs_key_field="LeakID", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response, + ) + + +def submit_rogue_app_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for a rogue mobile app""" + args = demisto.args() + app_id = int(args.get("id", "0")) + notes = args.get("notes", "") + send_alarm = args.get("send_alarm", "true").lower() == "true" + email = args.get("email", "") + + # Submit request + raw_response = client.submit_rogue_app_takedown(app_id=app_id, notes=notes, email=email) + + # Prepare output + readable_output = "### Rogue App Takedown Request\n" + readable_output += f"**App ID**: {app_id}\n" + readable_output += f"**Status**: {'Success' if raw_response.get('is_success', False) else 'Failed'}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + outputs = { + "AppID": str(app_id), + "AbuseType": "rogue_mobile_app", + "Status": "Success" if raw_response.get("is_success", False) else "Failed", + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes, + "Email": email, + } + + return CommandResults( + outputs_prefix="SOCRadarTakedown.RogueApp", + outputs_key_field="AppID", + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response, + ) + + +""" MAIN FUNCTION """ + + +def main(): + """Main function, parses params and runs command functions""" + try: + command = demisto.command() + + if command == "test-module": + client = get_client_from_params() + result = test_module(client) + return_results(result) + else: + client = get_client_from_params() + + if command == "socradar-submit-phishing-domain": + return_results(submit_phishing_domain_takedown_command(client)) + elif command == "socradar-submit-social-media-impersonation": + return_results(submit_social_media_impersonation_takedown_command(client)) + elif command == "socradar-submit-source-code-leak": + return_results(submit_source_code_leak_takedown_command(client)) + elif command == "socradar-submit-rogue-app": + return_results(submit_rogue_app_takedown_command(client)) + else: + raise NotImplementedError(f"Unknown command {command}") + + except Exception as e: + return_error(f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}") + + +""" ENTRY POINT """ + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml new file mode 100644 index 000000000000..867acae4f02d --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -0,0 +1,226 @@ +commonfields: + id: SOCRadar Takedown + version: -1 +sectionorder: +- Connect +- Collect +name: SOCRadar Takedown +display: SOCRadar Takedown +category: Data Enrichment & Threat Intelligence +description: Submit and track takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through SOCRadar platform. +configuration: +- name: credentials + display: Company ID + required: true + type: 9 + displaypassword: API Key + section: Connect +- display: Trust any certificate (not secure) + name: insecure + required: false + type: 8 + section: Connect + advanced: true +- display: Use system proxy settings + name: proxy + required: false + type: 8 + section: Connect + advanced: true + +script: + script: '' + type: python + subtype: python3 + dockerimage: demisto/python3:3.12.11.3982393 + commands: + - name: socradar-submit-phishing-domain + description: Submit a takedown request for a phishing domain. + arguments: + - name: domain + description: The phishing domain or URL to be taken down. + required: true + - name: abuse_type + description: Type of abuse. + defaultValue: potential_phishing + predefined: + - potential_phishing + - confirmed_phishing + - name: type + description: Domain/URL type. + defaultValue: phishing_domain + predefined: + - phishing_domain + - phishing_url + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.PhishingDomain.Domain + description: The domain that was reported. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.PhishingDomain.Notes + description: Additional notes for the request. + type: String + + - name: socradar-submit-social-media-impersonation + description: Submit a takedown request for social media impersonation. + arguments: + - name: username + description: Username of the impersonating account. + required: true + - name: full_name + description: Full name shown on the impersonating account. + required: true + - name: account_type + description: Type of social media platform. + required: true + predefined: + - facebook + - instagram + - twitter + - tiktok + - linkedin + - youtube + - meta + - other + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Username + description: Username of the impersonating account. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.FullName + description: Full name shown on the impersonating account. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AccountType + description: Type of social media platform. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Notes + description: Additional notes for the request. + type: String + + - name: socradar-submit-source-code-leak + description: Submit a takedown request for leaked source code. + arguments: + - name: id + description: ID of the source code leak to takedown. + required: true + - name: notes + description: Additional notes for the takedown request. + required: false + - name: email + description: Email address for notifications. + required: false + outputs: + - contextPath: SOCRadarTakedown.SourceCodeLeak.LeakID + description: ID of the source code leak. + type: Number + - contextPath: SOCRadarTakedown.SourceCodeLeak.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Notes + description: Additional notes for the request. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Email + description: Email provided for notifications. + type: String + + - name: socradar-submit-rogue-app + description: Submit a takedown request for a rogue mobile app. + arguments: + - name: id + description: ID of the rogue mobile app to takedown. + required: true + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: false + outputs: + - contextPath: SOCRadarTakedown.RogueApp.AppID + description: ID of the rogue mobile app. + type: String + - contextPath: SOCRadarTakedown.RogueApp.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.RogueApp.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.RogueApp.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.RogueApp.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.RogueApp.Notes + description: Additional notes for the request. + type: String + - contextPath: SOCRadarTakedown.RogueApp.Email + description: Email provided for notifications. + type: String + + runonce: false + ismappable: false + isremotesyncin: false + isremotesyncout: false + +fromversion: 6.0.0 +tests: +- No tests (auto formatted) diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md new file mode 100644 index 000000000000..760441edc417 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md @@ -0,0 +1,17 @@ +This integration allows you to: +- Submit takedown requests for phishing domains and URLs +- Submit takedown requests for social media impersonation +- Submit takedown requests for source code leaks +- Submit takedown requests for rogue mobile apps + +## Authentication +You need a valid SOCRadar API key and Company ID to use this integration. + +## Rate Limits +Please ensure your API key has adequate rate limits for your usage. + +## Commands Available +- **socradar-submit-phishing-domain**: Submit takedown requests for phishing domains and URLs +- **socradar-submit-social-media-impersonation**: Submit takedown requests for impersonating social media accounts +- **socradar-submit-source-code-leak**: Submit takedown requests for leaked source code +- **socradar-submit-rogue-app**: Submit takedown requests for rogue mobile applications diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png new file mode 100644 index 000000000000..1f89829473ca Binary files /dev/null and b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png differ diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json new file mode 100644 index 000000000000..f96dd4049997 --- /dev/null +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -0,0 +1,32 @@ +{ + "name": "SOCRadarTakedown", + "description": "Submit and manage takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through the SOCRadar platform. This pack helps security teams automate the process of reporting and tracking malicious content for removal.", + "support": "community", + "currentVersion": "1.0.0", + "author": "Community Contributor", + "url": "", + "email": "", + "created": "2025-06-24T00:00:00Z", + "categories": [ + "Data Enrichment & Threat Intelligence" + ], + "tags": [ + "Threat Intelligence" + ], + "useCases": [ + "Threat Intelligence Management", + "Phishing" + ], + "keywords": [ + "socradar", + "takedown", + "phishing", + "impersonation", + "brand protection" + ], + "marketplaces": [ + "xsoar", + "marketplacev2", + "platform" + ] +}