diff --git a/Packs/SOCRadarTakedown/.pack-ignore b/Packs/SOCRadarTakedown/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/.secrets-ignore b/Packs/SOCRadarTakedown/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..d2d9dd3f80e4 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/README.md @@ -0,0 +1,160 @@ +Submit and monitor takedown requests for phishing domains, impersonating accounts, and other digital risks +## Configure SOCRadar Takedown in Cortex + + +| **Parameter** | **Required** | +| --- | --- | +| API Key | True | +| Company ID | True | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | +| Reliability | False | + +## Commands + +You can execute these commands from the CLI, as part of an automation, or in a playbook. +After you successfully execute a command, a DBot message appears in the War Room with the command details. + +### socradar-submit-phishing-domain + +*** +Submits a takedown request for a phishing or malicious domain + +#### Base Command + +`socradar-submit-phishing-domain` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| domain | The phishing domain to submit for takedown. | Required | +| abuse_type | Type of abuse (default is potential_phishing). Possible values are: potential_phishing, malware, fake_site. | Optional | +| type | Type of domain (default is phishing_domain). Possible values are: phishing_domain, malicious_domain. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is true). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.PhishingDomain.Domain | string | The domain submitted for takedown | +| SOCRadarTakedown.PhishingDomain.AbuseType | string | Type of abuse | +| SOCRadarTakedown.PhishingDomain.Status | string | Status of the takedown request | +| SOCRadarTakedown.PhishingDomain.Message | string | Message returned from the API | +| SOCRadarTakedown.PhishingDomain.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.PhishingDomain.Notes | string | Notes provided with the takedown request | + +### socradar-submit-social-media-impersonation + +*** +Submits a takedown request for an impersonating social media account + +#### Base Command + +`socradar-submit-social-media-impersonation` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username of the impersonating account. | Required | +| full_name | Full name shown on the impersonating account. | Required | +| account_type | Type of social media platform. Possible values are: facebook, twitter, instagram, linkedin, tiktok, youtube, other. | Required | +| description | Description or ID of the impersonation case. | Optional | +| followers | Number of followers (default is 0). | Optional | +| profile_picture | URL to the profile picture. | Optional | +| notes | Additional information about the takedown request. | Optional | +| send_alarm | Whether to send an alarm (default is false). Possible values are: true, false. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SocialMediaImpersonation.Username | string | Username of the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.FullName | string | Full name shown on the impersonating account | +| SOCRadarTakedown.SocialMediaImpersonation.AccountType | string | Type of social media platform | +| SOCRadarTakedown.SocialMediaImpersonation.Status | string | Status of the takedown request | +| SOCRadarTakedown.SocialMediaImpersonation.Message | string | Message returned from the API | +| SOCRadarTakedown.SocialMediaImpersonation.SendAlarm | boolean | Whether an alarm was sent | +| SOCRadarTakedown.SocialMediaImpersonation.Notes | string | Notes provided with the takedown request | + +### socradar-get-takedown-progress + +*** +Gets the progress of a takedown request + +#### Base Command + +`socradar-get-takedown-progress` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| asset_id | The ID of the asset for which to check progress. | Required | +| type | Type of takedown request. Possible values are: phishing_domain, impersonating_accounts, source_code_leaks, rogue_mobile_apps. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.Progress.AssetID | string | The ID of the asset | +| SOCRadarTakedown.Progress.Type | string | Type of takedown request | +| SOCRadarTakedown.Progress.Status | string | Status of the API request | +| SOCRadarTakedown.Progress.Data | unknown | Progress data returned from the API | +| SOCRadarTakedown.Progress.Message | string | Message returned from the API | + +### socradar-submit-source-code-leak + +*** +Submits a takedown request for leaked source code + +#### Base Command + +`socradar-submit-source-code-leak` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the source code leak to takedown. | Required | +| notes | Additional information about the takedown request. | Optional | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.SourceCodeLeak.LeakID | number | ID of the source code leak | +| SOCRadarTakedown.SourceCodeLeak.Status | string | Status of the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Message | string | Message returned from the API | +| SOCRadarTakedown.SourceCodeLeak.Notes | string | Notes provided with the takedown request | +| SOCRadarTakedown.SourceCodeLeak.Email | string | Email provided for notifications | + +### socradar-submit-rogue-app + +*** +Submits a takedown request for a rogue mobile app + +#### Base Command + +`socradar-submit-rogue-app` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| id | ID of the rogue mobile app to takedown. | Required | +| email | Email to receive notifications about the takedown request. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| SOCRadarTakedown.RogueApp.AppID | string | ID of the rogue mobile app | +| SOCRadarTakedown.RogueApp.Status | string | Status of the takedown request | +| SOCRadarTakedown.RogueApp.Message | string | Message returned from the API | +| SOCRadarTakedown.RogueApp.Email | string | Email provided for notifications | diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py new file mode 100644 index 000000000000..b3fbdee880d5 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.py @@ -0,0 +1,404 @@ +import urllib3 +import traceback +import re +from typing import Any, Dict, List, Optional, Union +from json.decoder import JSONDecodeError + +# Import XSOAR common functions +from CommonServerPython import * + +# Disable insecure warnings +urllib3.disable_warnings() + +""" CONSTANTS """ + +SOCRADAR_API_ENDPOINT = "https://platform.socradar.com/api" +INTEGRATION_CONTEXT_NAME = "SOCRadarTakedown" +MESSAGES = { + "BAD_REQUEST_ERROR": "An error occurred while fetching the data.", + "AUTHORIZATION_ERROR": "Authorization Error: make sure API Key is correctly set.", + "RATE_LIMIT_EXCEED_ERROR": "Rate limit has been exceeded. Please make sure your API key's rate limit is adequate.", + "SUCCESS": "Request submitted successfully", + "FAILED": "Request submission failed" +} + +""" CLIENT CLASS """ + + +class Client: + """ + Client class to interact with the SOCRadar Takedown API + """ + + def __init__(self, base_url: str, api_key: str, company_id: str, verify: bool, proxy: bool): + self.base_url = base_url.rstrip('/') + self.api_key = api_key + self.company_id = company_id + self.headers = { + "API-KEY": self.api_key, + "Content-Type": "application/json" + } + self.verify = verify + self.proxy = proxy + + def _http_request(self, method: str, url_suffix: str, json_data: Optional[Dict] = None) -> Dict[str, Any]: + """Generic HTTP request method with proper error handling""" + full_url = f"{self.base_url}{url_suffix}" + + try: + response = requests.request( + method=method, + url=full_url, + headers=self.headers, + json=json_data, + verify=self.verify, + proxies=handle_proxy() if self.proxy else None + ) + + # Handle different HTTP status codes + if response.status_code == 401: + raise DemistoException(MESSAGES["AUTHORIZATION_ERROR"]) + elif response.status_code == 429: + raise DemistoException(MESSAGES["RATE_LIMIT_EXCEED_ERROR"]) + elif response.status_code >= 500: + raise DemistoException(f"Server Error: {response.status_code} - {response.text}") + elif response.status_code >= 400: + raise DemistoException(f"Client Error: {response.status_code} - {response.text}") + + try: + return response.json() + except JSONDecodeError: + return {"status_code": response.status_code, "text": response.text} + + except requests.exceptions.Timeout: + raise DemistoException("Request timeout occurred") + except requests.exceptions.ConnectionError: + raise DemistoException("Connection error occurred") + except requests.exceptions.RequestException as e: + raise DemistoException(f"Request failed: {str(e)}") + + def test_connection(self) -> Dict[str, Any]: + """Tests API connectivity and authentication""" + url_suffix = f"/get/company/{self.company_id}/takedown/requests" + return self._http_request("GET", url_suffix) + + def submit_takedown_request(self, entity: str, request_type: str, abuse_type: str, + notes: str = "", send_alarm: bool = True, email: str = "") -> Dict[str, Any]: + """Submit takedown request to SOCRadar API""" + url_suffix = f"/add/company/{self.company_id}/takedown/request" + data = { + "abuse_type": abuse_type, + "entity": entity, + "type": request_type, + "notes": notes, + "send_alarm": send_alarm, + "email": email + } + + return self._http_request("POST", url_suffix, data) + + +""" HELPER FUNCTIONS """ + + +class Validator: + @staticmethod + def validate_domain(domain_to_validate: str) -> bool: + """Validate domain format""" + if not isinstance(domain_to_validate, str) or len(domain_to_validate) > 255: + return False + if domain_to_validate.endswith("."): + domain_to_validate = domain_to_validate[:-1] + domain_regex = re.compile(r"(?!-)[A-Z\d-]{1,63}(? bool: + """Validate URL format""" + url_pattern = re.compile( + r'^https?://' # http:// or https:// + r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' # domain... + r'localhost|' # localhost... + r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip + r'(?::\d+)?' # optional port + r'(?:/?|[/?]\S+)$', re.IGNORECASE) + return url_pattern.match(url) is not None + + @staticmethod + def validate_email(email: str) -> bool: + """Validate email format""" + email_pattern = re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$') + return email_pattern.match(email) is not None + + +def get_client_from_params() -> Client: + """Initialize client from demisto params""" + params = demisto.params() + + api_key = params.get("apikey", {}).get("password", "") if isinstance(params.get("apikey"), dict) else params.get("apikey", "") + company_id = params.get("company_id", "").strip() + base_url = params.get("url", SOCRADAR_API_ENDPOINT).strip() + verify_certificate = not params.get("insecure", False) + proxy = params.get("proxy", False) + + if not api_key: + raise ValueError("API Key is required") + if not company_id: + raise ValueError("Company ID is required") + + return Client( + base_url=base_url, + api_key=api_key, + company_id=company_id, + verify=verify_certificate, + proxy=proxy + ) + + +def create_takedown_command_result(entity: str, entity_type: str, abuse_type: str, + notes: str, send_alarm: bool, raw_response: Dict, + context_prefix: str, key_field: str) -> CommandResults: + """Generic function to create CommandResults for takedown requests""" + + is_success = raw_response.get('is_success', False) or raw_response.get('success', False) + status = MESSAGES["SUCCESS"] if is_success else MESSAGES["FAILED"] + + # Create readable output + readable_output = f"### {entity_type} Takedown Request\n" + readable_output += f"**{key_field}**: {entity}\n" + readable_output += f"**Status**: {status}\n" + readable_output += f"**Abuse Type**: {abuse_type}\n" + + if raw_response.get("message"): + readable_output += f"**Message**: {raw_response.get('message')}\n" + + if notes: + readable_output += f"**Notes**: {notes}\n" + + # Create context output + outputs = { + key_field: entity, + "AbuseType": abuse_type, + "Status": status, + "Message": raw_response.get("message", ""), + "SendAlarm": send_alarm, + "Notes": notes, + "RequestId": raw_response.get("request_id") or raw_response.get("id"), + "Timestamp": raw_response.get("timestamp") or raw_response.get("created_at") + } + + return CommandResults( + outputs_prefix=f"{INTEGRATION_CONTEXT_NAME}.{context_prefix}", + outputs_key_field=key_field, + outputs=outputs, + readable_output=readable_output, + raw_response=raw_response + ) + + +""" COMMAND FUNCTIONS """ + + +def test_module(client: Client) -> str: + """Tests API connectivity and authentication""" + try: + client.test_connection() + return "ok" + except Exception as e: + demisto.error(f"Test module failed: {str(e)}") + return f"Test failed: {str(e)}" + + +def submit_phishing_domain_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for a phishing domain""" + args = demisto.args() + domain = args.get("domain", "").strip() + abuse_type = args.get("abuse_type", "potential_phishing") + domain_type = args.get("type", "phishing_domain") + notes = args.get("notes", "") + send_alarm = argToBoolean(args.get("send_alarm", True)) + email = args.get("email", "").strip() + + # Validation + if not domain: + raise ValueError("Domain is required") + if not Validator.validate_domain(domain): + raise ValueError(f'Domain "{domain}" is not valid') + if email and not Validator.validate_email(email): + raise ValueError(f'Email "{email}" is not valid') + + # Submit request + raw_response = client.submit_takedown_request( + entity=domain, + request_type=domain_type, + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + return create_takedown_command_result( + entity=domain, + entity_type="Phishing Domain", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + raw_response=raw_response, + context_prefix="PhishingDomain", + key_field="Domain" + ) + + +def submit_social_media_impersonation_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for social media impersonation""" + args = demisto.args() + url_link = args.get("url", "").strip() + abuse_type = args.get("abuse_type", "impersonating_accounts") + notes = args.get("notes", "") + send_alarm = argToBoolean(args.get("send_alarm", True)) + email = args.get("email", "").strip() + + # Validation + if not url_link: + raise ValueError("URL is required") + if not Validator.validate_url(url_link): + raise ValueError(f'URL "{url_link}" is not valid') + if email and not Validator.validate_email(email): + raise ValueError(f'Email "{email}" is not valid') + + # Submit request + raw_response = client.submit_takedown_request( + entity=url_link, + request_type="impersonating_accounts", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + return create_takedown_command_result( + entity=url_link, + entity_type="Social Media Impersonation", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + raw_response=raw_response, + context_prefix="SocialMediaImpersonation", + key_field="URL" + ) + + +def submit_source_code_leak_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for leaked source code""" + args = demisto.args() + url_link = args.get("url", "").strip() + abuse_type = args.get("abuse_type", "source_code_leak") + notes = args.get("notes", "") + send_alarm = argToBoolean(args.get("send_alarm", True)) + email = args.get("email", "").strip() + + # Validation + if not url_link: + raise ValueError("URL is required") + if not Validator.validate_url(url_link): + raise ValueError(f'URL "{url_link}" is not valid') + if email and not Validator.validate_email(email): + raise ValueError(f'Email "{email}" is not valid') + + # Submit request + raw_response = client.submit_takedown_request( + entity=url_link, + request_type="source_code_leak", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + return create_takedown_command_result( + entity=url_link, + entity_type="Source Code Leak", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + raw_response=raw_response, + context_prefix="SourceCodeLeak", + key_field="URL" + ) + + +def submit_rogue_app_takedown_command(client: Client) -> CommandResults: + """Submits a takedown request for a rogue mobile app""" + args = demisto.args() + app_info = args.get("app_info", "").strip() + abuse_type = args.get("abuse_type", "rogue_mobile_app") + notes = args.get("notes", "") + send_alarm = argToBoolean(args.get("send_alarm", True)) + email = args.get("email", "").strip() + + # Validation + if not app_info: + raise ValueError("App info is required") + if email and not Validator.validate_email(email): + raise ValueError(f'Email "{email}" is not valid') + + # Submit request + raw_response = client.submit_takedown_request( + entity=app_info, + request_type="rogue_mobile_app", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + email=email + ) + + return create_takedown_command_result( + entity=app_info, + entity_type="Rogue App", + abuse_type=abuse_type, + notes=notes, + send_alarm=send_alarm, + raw_response=raw_response, + context_prefix="RogueApp", + key_field="AppInfo" + ) + + +""" MAIN FUNCTION """ + + +def main(): + """Main function, parses params and runs command functions""" + try: + demisto.debug(f"Command being called: {demisto.command()}") + + if demisto.command() == "test-module": + client = get_client_from_params() + result = test_module(client) + return_results(result) + + else: + client = get_client_from_params() + + commands = { + "socradar-submit-phishing-domain": submit_phishing_domain_takedown_command, + "socradar-submit-social-media-impersonation": submit_social_media_impersonation_takedown_command, + "socradar-submit-source-code-leak": submit_source_code_leak_takedown_command, + "socradar-submit-rogue-app": submit_rogue_app_takedown_command, + } + + command = demisto.command() + if command in commands: + return_results(commands[command](client)) + else: + raise NotImplementedError(f"Command {command} is not implemented") + + except Exception as e: + demisto.error(f"Failed to execute {demisto.command()} command. Error: {str(e)}") + return_error(f"Failed to execute {demisto.command()} command.\nError:\n{str(e)}") + + +""" ENTRY POINT """ + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml new file mode 100644 index 000000000000..25b023f0d2e6 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown.yml @@ -0,0 +1,237 @@ +category: Data Enrichment & Threat Intelligence +commonfields: + id: SOCRadarTakedown + version: -1 +name: SOCRadar Takedown +display: SOCRadar Takedown +category: Data Enrichment & Threat Intelligence +description: Submit and track takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through SOCRadar platform. +detaileddescription: | + This integration allows you to: + - Submit takedown requests for phishing domains + - Submit takedown requests for social media impersonation + - Submit takedown requests for source code leaks + - Submit takedown requests for rogue mobile apps + - Track the progress of submitted takedown requests + + ## Authentication + You need a valid SOCRadar API key and Company ID to use this integration. + + ## Rate Limits + Please ensure your API key has adequate rate limits for your usage. + +configuration: +- display: SOCRadar API Key + name: apikey + required: true + type: 4 + additionalinfo: Your SOCRadar platform API key +- display: Company ID + name: company_id + required: true + type: 0 + additionalinfo: Your SOCRadar Company ID +- display: Trust any certificate (not secure) + name: insecure + required: false + type: 8 + defaultvalue: false +- display: Use system proxy settings + name: proxy + required: false + type: 8 + defaultvalue: false + +script: + script: '' + type: python + subtype: python3 + dockerimage: demisto/python3:3.10.13.72123 + runonce: false + commands: + - name: socradar-submit-phishing-domain + description: Submit a takedown request for a phishing domain. + arguments: + - name: domain + description: The phishing domain to be taken down. + required: true + - name: abuse_type + description: Type of abuse. + defaultValue: potential_phishing + predefined: + - potential_phishing + - confirmed_phishing + - name: type + description: Domain type. + defaultValue: phishing_domain + predefined: + - phishing_domain + - lookalike_domain + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.PhishingDomain.Domain + description: The domain that was reported. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.PhishingDomain.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.PhishingDomain.Notes + description: Additional notes for the request. + type: String + - name: socradar-submit-social-media-impersonation + description: Submit a takedown request for social media impersonation. + arguments: + - name: url + description: URL of the impersonating social media account. + required: true + - name: abuse_type + description: Type of abuse. + defaultValue: impersonating_accounts + predefined: + - impersonating_accounts + - fake_profiles + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.URL + description: The URL that was reported. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.SocialMediaImpersonation.Notes + description: Additional notes for the request. + type: String + - name: socradar-submit-source-code-leak + description: Submit a takedown request for leaked source code. + arguments: + - name: url + description: URL where the source code leak is found. + required: true + - name: abuse_type + description: Type of abuse. + defaultValue: source_code_leak + predefined: + - source_code_leak + - data_leak + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.SourceCodeLeak.URL + description: The URL that was reported. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.SourceCodeLeak.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.SourceCodeLeak.Notes + description: Additional notes for the request. + type: String + - name: socradar-submit-rogue-app + description: Submit a takedown request for a rogue mobile app. + arguments: + - name: app_info + description: Information about the rogue mobile app (name, store URL, etc.) + required: true + - name: abuse_type + description: Type of abuse. + defaultValue: rogue_mobile_app + predefined: + - rogue_mobile_app + - malicious_app + - name: notes + description: Additional notes for the takedown request. + required: false + - name: send_alarm + description: Whether to send alarm notification. + defaultValue: "true" + predefined: + - "true" + - "false" + - name: email + description: Email address for notifications. + required: true + outputs: + - contextPath: SOCRadarTakedown.RogueApp.AppInfo + description: Information about the app that was reported. + type: String + - contextPath: SOCRadarTakedown.RogueApp.AbuseType + description: Type of abuse reported. + type: String + - contextPath: SOCRadarTakedown.RogueApp.Status + description: Status of the takedown request. + type: String + - contextPath: SOCRadarTakedown.RogueApp.Message + description: Response message from the API. + type: String + - contextPath: SOCRadarTakedown.RogueApp.SendAlarm + description: Whether alarm notification is enabled. + type: Boolean + - contextPath: SOCRadarTakedown.RogueApp.Notes + description: Additional notes for the request. + type: String + runonce: false + ismappable: false + isremotesyncin: false + isremotesyncout: false + +fromversion: 6.0.0 +tests: +- No tests (auto formatted) \ No newline at end of file diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md new file mode 100644 index 000000000000..3ec47ae26287 --- /dev/null +++ b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_description.md @@ -0,0 +1,12 @@ +This integration allows you to: +- Submit takedown requests for phishing domains +- Submit takedown requests for social media impersonation +- Submit takedown requests for source code leaks +- Submit takedown requests for rogue mobile apps +- Track the progress of submitted takedown requests + +## Authentication +You need a valid SOCRadar API key and Company ID to use this integration. + +## Rate Limits +Please ensure your API key has adequate rate limits for your usage. \ No newline at end of file diff --git a/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png new file mode 100644 index 000000000000..819ef1d585f0 Binary files /dev/null and b/Packs/SOCRadarTakedown/Integrations/SOCRadarTakedown/SOCRadarTakedown_image.png differ diff --git a/Packs/SOCRadarTakedown/README.md b/Packs/SOCRadarTakedown/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SOCRadarTakedown/pack_metadata.json b/Packs/SOCRadarTakedown/pack_metadata.json new file mode 100644 index 000000000000..2f0968683592 --- /dev/null +++ b/Packs/SOCRadarTakedown/pack_metadata.json @@ -0,0 +1,30 @@ +{ + "name": "SOCRadarTakedown", + "description": "Submit and manage takedown requests for phishing domains, social media impersonation, source code leaks, and rogue mobile apps through the SOCRadar platform. This pack helps security teams automate the process of reporting and tracking malicious content for removal.", + "support": "community", + "currentVersion": "1.0.0", + "author": "Community Contributor", + "url": "", + "email": "", + "created": "2025-06-24T00:00:00Z", + "categories": [ + "Threat Intelligence" + ], + "tags": [ + "takedown", + "phishing", + "threat-intelligence", + "brand-protection" + ], + "useCases": [ + "Brand Protection", + "Threat Intelligence Management" + ], + "keywords": [ + "socradar", + "takedown", + "phishing", + "impersonation", + "brand protection" + ] +}