Supercharge ThreatQuotient with SOCRadar Leaks, Alarms, and Vulnerabilities

Problem

Security teams often lack unified visibility across external threats, leaked credentials, asset exposures, and vulnerability intelligence. Without automated ingestion, correlating SOCRadar findings with ThreatQuotient data becomes manual and inefficient.

Objective

This article explains how the SOCRadar CDF integration works, what data it ingests, and how to install and configure it in ThreatQuotient to enhance investigations and threat-centric workflows.

Overview

The SOCRadar CDF (Custom Data Feed) integration enables ThreatQuotient users to pull enriched threat intelligence and risk data directly from their SOCRadar tenant. As announced in the product update, the integration ingests intelligence covering threats, leaked credentials, alarms, and asset-related vulnerabilities.

SOCRadar is an Extended Threat Intelligence (XTI) platform that combines:

• Cyber Threat Intelligence (CTI)

• External Attack Surface Management (EASM)

• Digital Risk Protection (DRP)

By connecting SOCRadar and ThreatQuotient, organizations gain consolidated visibility into external threats and internal exposures.

Integration Highlights (CDF Feeds)

The SOCRadar CDF includes the following feed types, as defined in the SOCRadar integration documentation:

1. SOCRadar Threat Feed

   • Ingests indicators from SOCRadar’s threat intelligence feeds.

   • Supports IOC attributes such as threat type, confidence, and timestamps.

2. SOCRadar Leaks

   • Imports leaked credentials associated with your identities.

   • Converts leak records into Identity objects and enriches them with metadata.

3. SOCRadar Alarms

   • Pulls alerts generated within your SOCRadar environment.

   • Ingests them as Events, enabling correlation with internal signals.

4. SOCRadar Vulnerabilities

   • Ingests vulnerabilities related to organizational assets monitored by SOCRadar.

   • Creates or updates Vulnerability and Asset objects in ThreatQuotient.

Each feed can be installed and configured independently based on your operational needs.

Supported Object Types

Each SOCRadar feed ingests data into the following ThreatQuotient system objects:

• Assets

• Events

• Identities

• Indicators

• Vulnerabilities

This multi-object ingestion enables broad correlation across threat activity, asset risk, user exposure, and raw indicators.

Prerequisites

Before configuring the integration:

• You must have an active SOCRadar license.

• API credentials must be available from your SOCRadar tenant.

• Internet access must allow communication with SOCRadar APIs.

Integration Behavior (Based on Official CDF Documentation)

Threat Feed

• Pulls IOC data into Indicator objects.

• Typical attributes include IOC type, threat categories, confidence, and source metadata.

Leaks Feed

• Creates Identity objects for exposed accounts.

• Stores credentials or leak-related metadata (e.g., breach source, exposure date).

Alarms Feed

• Maps SOCRadar alarms into Event objects.

• Supports enrichment and correlation with internal alerts.

Vulnerabilities Feed

• Builds or updates Vulnerability objects (CVE or custom).

• Associates vulnerabilities with corresponding Assets from your environment.

• Includes severity, exploit information, and exposure attributes.

Why It Matters

The SOCRadar integration enables teams to:

• Enrich ThreatQ with real-time external intelligence.

• Correlate leaks, vulnerabilities, and events across data sources for faster triage.

• Strengthen visibility into external attack surfaces and risks.

• Automate ingestion workflows rather than manually importing intelligence.

Learn More

Refer to the full SOCRadar CDF documentation here:
https://helpcenter.threatq.com/Integration_Documentation/cdf/SOCRadar_CDF.htm

Call to Action

If you have feedback or additional use cases for this integration, share them in the comments to help improve this article.