In this article:

Supported Platforms via API Integration

Currently, Attack Detective supports the following platforms via API integration:

On-prem IBM QRadar (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for IBM QRadar. For details, see this help article)
- Required Credentials:
  - IBM QRadar URL. URL of your IBM QRadar web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).
  - Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for IBM QRadar.
- Required permissions:
  - Security Profile. Attack Detective searches will run with any permission, but will only return data from the Networks/Log Sources/Domains assigned to the selected Security Profile.
  - User Role. Select a user role with at least these permissions: "Log Activity" for event searches and "Network Activity" for flow searches.

Sumo Logic (For details on how to get credentials, see this article)
- Required Credentials
  - Deployment Region
  - Timezone
  - Access ID
  - Folder ID
  - Access Key
Amazon Athena (For details about prerequisites, permissions, and credentials, see this help article). Use this integration to run investigations against your Amazon Security Lake data in OCSF-compatible format
- Required credentials:
  - AWS Access Key ID
  - Secret Access Key
  - Database
  - Region
  - Query result location
AWS OpenSearch
- Required credentials:
  - OpenSearch URL (it should contain the hostname and port number (unless the default port 443 is used))
  - OpenSearch Host & Port
  - OpenSearch Login & Password or API Key
- Required permissions (for step-by-step instructions on how to grant these permissions, see this help article):
  - Cluster permissions: cluster_composite_ops_ro, cluster_monitor
  - Index permissions (select * for the index pattern): read, indices:data/read/get, indices:data/read/search*, manage
  - Tenant permissions: global_tenant with the Read only access

Splunk Cloud
- Required credentials:
  - Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))
  - Custom Search App. Optionally fill in this field if you want to run hunting queries (when validating scan results) in an app other than Search. If the field is left empty, the default Search app is used.
  - Splunk Username
  - Splunk Password
  - Splunk API URL
- Required permissions:
  In your Splunk instance, create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.
  When creating a new user, make sure that the checkmark Require password change on first login is disabled.

On-prem Splunk (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Splunk. For details, see this help article)
- Required credentials:
  - Splunk URL (the URL of your Splunk web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used))
  - Attack Detective API key. Generate an Attack Detective API key needed to configure the input in the SOC Prime Attack Detective App for Splunk.
- Required permissions:
  In your Splunk instance, create a user and assign it a standard User role. Alternatively, you can create a custom role similar to a User role with capabilities to read all indexes and run queries since these capabilities are sufficient for Attack Detective.
  When creating a new user, make sure that the checkmark Require password change on first login is disabled.

Microsoft Sentinel (For details about getting access to the platform's API, see How to Get Credentials modal in the Data Plane integration setup)
- Required credentials:
  - Client ID (Application ID)
  - Client Secret
  - Tenant ID (Directory ID)
  - Microsoft Sentinel URL
- Required permission:
  - Register your app and assign it the Microsoft Sentinel Reader role
Microsoft Defender for Endpoint (For details about getting access to the platform's API, see here)
- Required credentials:
  - Directory ID
  - Application ID
  - Client Secret
- Required permission:
  - Create an AAD Web-Application and assign it the AdvancedQuery.Read.All permission
Elastic Cloud
- Required credentials:
  - Kibana URL (it should contain the hostname and port number (unless the default port 443 is used))
  - Elasticsearch API Host & Port
  - Elastic Login & Password or API Key
- Required privileges:
  - Cluster privileges: monitor
  - Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor
On-prem Elastic (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for Elastic. For details, see this help article)
- Required credentials:
  - Kibana URL. URL of your Kibana web console that you can copy from your browser. It should contain the hostname and port number (unless the default port 443 is used).
  - Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for Elastic.
- Required privileges:
  - Cluster privileges: monitor, read_security, manage_api_key, manage_security
  - Index privileges (select * in the Indices dropdown): read, view_index_metadata, monitor
On-prem CrowdStrike Next-Gen SIEM Falcon LogScale (to connect Attack Detective to your on-prem instance, you also need to install the SOC Prime Attack Detective App for CrowdStrike Next-Gen SIEM Falcon LogScale. For details, see this help article)
- Required credentials:
  - CrowdStrike Next-Gen SIEM Falcon LogScale URL. The URL of your CrowdStrike Next-Gen SIEM Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name.
  - Attack Detective API key. Generate an Attack Detective API key needed to configure the SOC Prime Attack Detective App for CrowdStrike Next-Gen SIEM Falcon LogScale.
- Required privileges:
  - Data read access permission when generating a repository token in CrowdStrike Next-Gen SIEM Falcon LogScale
Cloud CrowdStrike Next-Gen SIEM Falcon LogScale
- Required credentials:
  - CrowdStrike Next-Gen SIEM Falcon LogScale URL. The URL of your CrowdStrike Next-Gen SIEM Falcon LogScale web console that you can copy from your browser. The link should not contain a repository or view name if the Data Plane is going to be used only for Attack Detective. Otherwise, if you will also use it for Automation and hunting, the URL should include a repository or view name.
  - API Token. A repository token generated in CrowdStrike Next-Gen SIEM Falcon LogScale that grants required API access to your repository. See this instruction on how to create a token.
- Required privileges:
  - Data read access permission when generating a repository token in CrowdStrike Next-Gen SIEM Falcon LogScale
Google SecOps (OLD Cloud BackStory API, NEW Cloud Chronicle API, and Cloud Chronicle API with WIF are supported)
- Required Credentials for Cloud Chronicle API with WIF:
  - Google SecOps URL. The URL of your Google SecOps web console that you can copy from your browser
  - Google SecOps Project Number
  - Google SecOps Service Account Email
  - Region
  - Instance ID
  - Project ID
  - Azure Tenant ID
  - Azure Client ID
  - Azure Client Secret
  - WIF Pool ID
  - WIF Provider ID
  To learn how to get credentials for Cloud Chronicle API with WIF, follow this guide.
- Required Credentials for Cloud BackStory API and Cloud Chronicle API:
  - Region
  - Instance ID (only for the new API)
  - Google SecOps URL. The URL of your Google SecOps web console that you can copy from your browser
  - Project ID
  - Private Key ID
  - Private Key
  - Client Email
  - Client ID
  - Auth URI
  - Token URI
  - Auth Provider x509 Cert URL
  - Client x509 Cert URL
  - Universe Domain (only for the new API)
    
    Note:
    You need to have API access under your Google SecOps subscription with the appropriate permissions to read resources.
    OLD Cloud BackStory API: Request the Google SecOps API credentials from your reseller or dedicated Google Partner Team. When you have the credentials, import them by clicking Import JSON at the bottom of the Data Plane configuration screen.
    NEW Cloud Chronicle API: learn how to get credentials here.
  Required privileges:
  - OLD Cloud BackStory API: Data read permissions in Google SecOps
  - NEW Cloud Chronicle API: Chronicle API Viewer permission for your service account
  Note that investigations in Google SecOps involve certain constraints imposed by Chronicle Security API limitations:
  - Both old Cloud BackStory API and new Cloud Chronicle API have a rate limit of 360 queries per hour. We recommend using scenarios to limit the number of queries in a scan to keep scanning time reasonably short.
  - The maximum supported number of log sources is 60. If you have more log sources, please contact us.
  - For the old Cloud BackStory API, it’s possible to get only the number of affected users and assets that will be available in the statistics. The new Chronicle API also provides the total number of users and assets.
  - Blind spot detection based on missing event codes is available only for new Cloud Chronicle API.
  - We do not recommend using the same API token for multiple scans simultaneously since it may substantially decrease the scanning speed.
Anomali Security Analytics
- Required Credentials:
  - URL. Use the default value https://api.threatstream.com/
  - Username. The email address associated with your ThreatStream account. You can find it in the My Account tab within ThreatStream settings
  - API Key. Your dedicated API Key. You can find it in the My Account tab within ThreatStream settings
- Required privileges:
  - You need to have read access via search RESTful API
  Note:
  Attack Detective scan speed is capped by the Anomaly Security Analytics rates (only 10 new search API requests per minute per organization are allowed)

The integration is set up in the Data Planes module of the SOC Prime Platform. To learn more, go to the Data Planes Guide.

Available Features by Platform

The table below outlines which Attack Detective features are supported for each platform.

Platform Name	Type	Supported Features
Microsoft Sentinel	Cloud	Data Audit Scan Blind Spots Content Audit (Cloud, Repositories)
Microsoft Defender for Endpoint	Cloud	Data Audit Scan Content Audit (Repositories)
Elastic Stack	Cloud On-prem (SOC Prime Attack Detective App for Elasti Stack)	Data Audit Scan Blind Spots Content Audit (Cloud, Repositories)
Splunk	Cloud On-prem (SOC Prime Attack Detective App for Splunk)	Data Audit Scan Blind Spots Content Audit (Cloud, Repositories)
CrowdStrike Next-Gen SIEM Falcon LogScale	Cloud, On-prem (SOC Prime Attack Detective App for CrowdStrike Next-Gen SIEM Falcon LogScale)	Data Audit Scan Blind Spots Content Audit (Repositories)
AWS OpenSearch	Cloud	Data Audit Scan Blind Spots Content Audit (Repositories)
Google SecOps	Cloud (Chronicle API, Chronicle API with WIF)	Data Audit Scan Blind Spots Content Audit (Repositories)
Sumo Logic	Cloud	Data Audit Scan Blind Spots Content Audit (Cloud)
AWS Athena	Cloud	Data Audit Scan Blind Spots
IBM QRadar	On-prem (SOC Prime Attack Detective App for IBM QRadar)	Data Audit Scan Blind Spots
Anomali Security Analytics	Cloud	Data Audit Scan Blind Spots

Data Planes

Automation: Getting Started

API

SOC Prime Platform Product Release Notes 6.1.7

SOC Prime Platform Product Release Notes 6.2.0