x-cpod-domain: soc

SOC

Security operations — alerts, investigations, playbooks.

Try in explorer client.soc

Alert

A detection from a security tool.

REST path/api/v1/soc/alerts

Operations

listgetacknowledgeescalate

SDK

// list — returns only your records; add filters/search:
await client.soc.alerts.list()

Field	Type	Description
id*	uuid	Server-assigned ULID with type prefix (e.g. per_…).
tenant_id*	string	Tenant scope — auto-stamped from the caller's JWT.
app_id	string	App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present.
created_at*	date-time	Server stamp.
updated_at*	date-time	Server stamp; updated on every patch.
created_by	uuid	Person id from the caller's JWT (sub).
updated_by	uuid	Person id from the last writer's JWT (sub).
source	string	Provenance tag — defaults to 'edm'.
source_type	enum	Where the write originated. Defaults to 'api'.`frontendbackendserversystemapi`
is_deleted	boolean	Soft-delete flag. Excluded from default list queries.
deleted_at	date-time	Stamped when soft-deleted; null otherwise.
deleted_by	uuid	Person id who soft-deleted; null otherwise.
schema_version	number	Document schema version. Bumped on incompatible writes.
title	string	Short title of the alert.
description	string	Detailed description of the alert.
severity	string	Severity level of the alert.
status	string	Current lifecycle status of the alert.
verdict	string	Analyst verdict for this alert.
source_alert	string	Connector id or name that raised this alert.
source_id	string	Connector-side event or alert identifier.
timestamp	date-time	ISO 8601 timestamp when the alert event occurred.
mitre_tactic	string	MITRE ATT&CK tactic ID.
mitre_technique	string	MITRE ATT&CK technique ID.
kill_chain_phase	string	Kill chain phase label.
host	json	Host that generated the alert.
user	json	User context associated with the alert.
indicators	json	Threat indicators (IOCs) associated with this alert.
related_alert_ids	json	IDs of correlated alerts.
related_finding_ids	json	IDs of forensic artefacts related to this alert.
assignee_id	string	ID of the analyst assigned to this alert.
investigation_id	string	ID of the Investigation this alert has been grouped into.
playbook_run_ids	json	IDs of automated playbook runs triggered by this alert.
ticket_ref	json	External ticketing system reference.
raw_data	json	Original connector payload preserved for forensic purposes.
tags	json	Free-form tags for filtering.

Investigation

An analyst-led investigation, optionally rolling up alerts.

REST path/api/v1/soc/investigations

Operations

listgetcreateupdateclose

SDK

// list — returns only your records; add filters/search:
await client.soc.investigations.list()

// create:
await client.soc.investigations.create({
  id: "rec_01HXEXAMPLE",
  tenant_id: "example tenant_id",
  created_at: "2026-01-01T00:00:00Z",
  updated_at: "2026-01-01T00:00:00Z",
  app_id: "example app_id",
  created_by: "rec_01HXEXAMPLE",
})

Field	Type	Description
id*	uuid	Server-assigned ULID with type prefix (e.g. per_…).
tenant_id*	string	Tenant scope — auto-stamped from the caller's JWT.
app_id	string	App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present.
created_at*	date-time	Server stamp.
updated_at*	date-time	Server stamp; updated on every patch.
created_by	uuid	Person id from the caller's JWT (sub).
updated_by	uuid	Person id from the last writer's JWT (sub).
source	string	Provenance tag — defaults to 'edm'.
source_type	enum	Where the write originated. Defaults to 'api'.`frontendbackendserversystemapi`
is_deleted	boolean	Soft-delete flag. Excluded from default list queries.
deleted_at	date-time	Stamped when soft-deleted; null otherwise.
deleted_by	uuid	Person id who soft-deleted; null otherwise.
schema_version	number	Document schema version. Bumped on incompatible writes.
investigation_number	string	Human-readable investigation reference number.
title	string	Short title of the investigation.
description	string	Detailed description of the investigation scope.
status	string	Current lifecycle status of the investigation.
priority	string	Priority level of the investigation.
category	string	Category of the investigation.
assigned_to_id	string	ID of the analyst assigned to this investigation.
team_group_id	string	ID of the SOC team group that owns this investigation.
alert_ids	json	IDs of Alerts grouped into this investigation.
finding_ids	json	IDs of forensic findings associated with this investigation.
timeline	json	Ordered list of analyst notes and actions during the investigation.
sla_definition_id	string	ID of the SLA definition governing this investigation.
sla_tracker	json	Real-time SLA tracking data.
escalated_to_incident_id	string	ID of the GRC Incident this investigation was escalated to.
closed_at	date-time	ISO 8601 timestamp when the investigation was closed.
closure_reason	string	Explanation of why the investigation was closed.
tags	json	Free-form tags for filtering.

Playbook

A reusable response runbook.

REST path/api/v1/soc/playbooks

Operations

listgetcreateupdaterun

SDK

// list — returns only your records; add filters/search:
await client.soc.playbooks.list()

// create:
await client.soc.playbooks.create({
  id: "rec_01HXEXAMPLE",
  tenant_id: "example tenant_id",
  created_at: "2026-01-01T00:00:00Z",
  updated_at: "2026-01-01T00:00:00Z",
  app_id: "example app_id",
  created_by: "rec_01HXEXAMPLE",
})

Field	Type	Description
id*	uuid	Server-assigned ULID with type prefix (e.g. per_…).
tenant_id*	string	Tenant scope — auto-stamped from the caller's JWT.
app_id	string	App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present.
created_at*	date-time	Server stamp.
updated_at*	date-time	Server stamp; updated on every patch.
created_by	uuid	Person id from the caller's JWT (sub).
updated_by	uuid	Person id from the last writer's JWT (sub).
source	string	Provenance tag — defaults to 'edm'.
source_type	enum	Where the write originated. Defaults to 'api'.`frontendbackendserversystemapi`
is_deleted	boolean	Soft-delete flag. Excluded from default list queries.
deleted_at	date-time	Stamped when soft-deleted; null otherwise.
deleted_by	uuid	Person id who soft-deleted; null otherwise.
schema_version	number	Document schema version. Bumped on incompatible writes.
name	string	Human-readable name of the playbook.
description	string	Description of what this playbook does and when to use it.
category	string	Incident response phase this playbook serves.
trigger_conditions	json	Conditions that must all be met to auto-fire this playbook.
auto_execute	boolean	Whether this playbook fires automatically when trigger conditions are met.
mitre_tactics	json	MITRE ATT&CK tactic IDs this playbook addresses.
mitre_techniques	json	MITRE ATT&CK technique IDs this playbook addresses.
steps	json	Ordered list of steps in the playbook.
required_connector_ids	json	IDs of Connectors that must be configured for this playbook to run.
owner_id	string	ID of the Person who owns this playbook.
enabled	boolean	Whether this playbook is active and eligible to run.
last_run_at	date-time	ISO 8601 timestamp of the most recent execution.
last_run_id	string	ID of the most recent playbook run instance.
run_stats	json	Aggregate execution statistics.
tags	json	Free-form tags for filtering.

Docs

Alert

Investigation

Playbook