What Changed
Complete new solution for SOC Prime Platform audit log ingestion via the Codeless Connector Framework (CCF). The connector uses the SOC Prime TDM API to fetch platform audit logs with DCR-based ingestion.
Data Source
SOC Prime Platform audit logs capture user activities and administrative actions:
- Login events and authentication patterns
- Administrative configuration changes
- API key usage and access patterns
- Platform feature utilisation
The connector polls the SOC Prime TDM API endpoint (api.tdm.socprime.com/v1/audit-logs) every 10 minutes with API key authentication.
Ingestion Mechanism
CCF-based REST API poller with DCR transformation:
- Input fields: timestamp, event_name, user_email, user_name, event_page, source_ip, user_agent
- Transform logic: Maps to standard fields (TimeGenerated, EventName, UserName, SourceIp, HttpUserAgent)
- Output table: SOCPrimeAuditLogs_CL
- Pagination: NextPageToken with 100 events per page
The DCR transforms raw SOC Prime API responses into normalised audit events with vendor/product metadata.
Detection Surface Unlocked
Enables monitoring of SOC Prime platform usage for:
- Insider threat detection (unusual administrative activity)
- Account compromise indicators (abnormal login patterns)
- Compliance auditing (who accessed what, when)
- API abuse detection (automated vs manual usage patterns)
Affected Files
Solutions/SOC Prime CCF/Data Connectors/SOCPrime_ccp/ (9 connector files)
Logos/SOCPrime_Logo.svg
(packaging artefacts: mainTemplate.json, createUiDefinition.json, 3.0.0.zip)