Publisher: Doppel
Connector Version: 1.0.0
Product Vendor: Doppel
Product Name: doppel
Minimum Product Version: 6.4.0
The Doppel-Splunk SOAR integration automates the ingestion of Doppel alerts into Splunk SOAR, creating containers and artifacts for efficient analysis. It supports actions to create, retrieve, and update alerts directly within the platform.
This table lists the configuration variables required to operate Doppel. These variables are specified when configuring a doppel asset in Splunk SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| doppel_api_key | required | password | Doppel API Key |
| user_api_key | optional | password | Optional User API Key |
| org_code | optional | string | Optional Organization Code |
| historical_polling_days | optional | numeric | Number of days to look back for initial polling (default: 30) |
test connectivity - test connectivity
create alert - Create a new alert in Doppel for a specific entity.
get alert - Fetch details of a specific Doppel alert by its ID or entity.
get all alerts - Retrieve multiple Doppel alerts based on search criteria and filters.
update alert - Update an existing Doppel alert's queue state, entity state, comment or tag.
on poll - on poll
test connectivity
Type: test
Read only: True
Basic test for app.
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Create a new alert in Doppel for a specific entity.
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| entity | required | Entity (domain/email/etc) | string | |
| brand | optional | Brand name | string | |
| source | optional | Source system | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.entity | string | ||
| action_result.parameter.brand | string | ||
| action_result.parameter.source | string | ||
| action_result.data.*.id | string | TST-123 | |
| action_result.data.*.entity | string | example.com | |
| action_result.data.*.severity | string | high medium | |
| action_result.data.*.queue_state | string | doppel_review | |
| action_result.data.*.entity_state | string | active down | |
| action_result.data.*.doppel_link | string | url |
https://app.doppel.com/alert/TST-123 |
| action_result.data.*.brand | string | test_brand | |
| action_result.data.*.product | string | domains | |
| action_result.data.*.platform | string | domain | |
| action_result.data.*.source | string | API Upload | |
| action_result.data.*.created_at | string | timestamp |
2025-04-10T12:00:00Z |
| action_result.data.*.last_activity_timestamp | string | timestamp |
2025-04-15T10:30:00Z |
| action_result.data.*.score | numeric | 0.5 | |
| action_result.data.*.screenshot_url | string | url |
https://example.com/screenshot.png |
| action_result.data.*.tags | string | phishing, brand_protection | |
| action_result.data.*.entity_content | string | {"ip": "127.0.0.0"} | |
| action_result.data.*.success | boolean | True False | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Fetch details of a specific Doppel alert by its ID or entity.
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | optional | Alert ID | string | |
| entity | optional | Entity | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.id | string | ||
| action_result.parameter.entity | string | ||
| action_result.data.*.id | string | TST-123 | |
| action_result.data.*.entity | string | example.com | |
| action_result.data.*.severity | string | high medium | |
| action_result.data.*.queue_state | string | doppel_review | |
| action_result.data.*.entity_state | string | active down | |
| action_result.data.*.doppel_link | string | url |
https://app.doppel.com/alert/TST-123 |
| action_result.data.*.brand | string | test_brand | |
| action_result.data.*.product | string | domains | |
| action_result.data.*.platform | string | domain | |
| action_result.data.*.source | string | API Upload | |
| action_result.data.*.created_at | string | timestamp |
2025-04-10T12:00:00Z |
| action_result.data.*.last_activity_timestamp | string | timestamp |
2025-04-15T10:30:00Z |
| action_result.data.*.score | numeric | 0.5 | |
| action_result.data.*.screenshot_url | string | url |
https://example.com/screenshot.png |
| action_result.data.*.tags | string | phishing, brand_protection | |
| action_result.data.*.entity_content | string | {"ip": "127.0.0.0"} | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Retrieve multiple Doppel alerts based on search criteria and filters.
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| search_key | optional | Search term | string | |
| queue_state | optional | Queue state | string | |
| product | optional | Product | string | |
| created_before | optional | ISO timestamp | string | |
| created_after | optional | ISO timestamp | string | |
| last_activity_timestamp | optional | ISO timestamp | string | |
| tags | optional | Comma-separated tags | string | |
| page | optional | Page number (0-based) | numeric | |
| page_size | optional | Number of alerts per page | numeric |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.search_key | string | ||
| action_result.parameter.queue_state | string | ||
| action_result.parameter.product | string | ||
| action_result.parameter.created_before | string | ||
| action_result.parameter.created_after | string | ||
| action_result.parameter.last_activity_timestamp | string | ||
| action_result.parameter.tags | string | ||
| action_result.parameter.page | numeric | ||
| action_result.parameter.page_size | numeric | ||
| action_result.data.*.id | string | TST-123 | |
| action_result.data.*.entity | string | example.com | |
| action_result.data.*.severity | string | high medium | |
| action_result.data.*.queue_state | string | doppel_review | |
| action_result.data.*.entity_state | string | active down | |
| action_result.data.*.doppel_link | string | url |
https://app.doppel.com/alert/TST-123 |
| action_result.data.*.brand | string | test_brand | |
| action_result.data.*.product | string | domains | |
| action_result.data.*.platform | string | domain | |
| action_result.data.*.source | string | API Upload | |
| action_result.data.*.created_at | string | timestamp |
2025-04-10T12:00:00Z |
| action_result.data.*.last_activity_timestamp | string | timestamp |
2025-04-15T10:30:00Z |
| action_result.data.*.score | numeric | 0.5 | |
| action_result.data.*.screenshot_url | string | url |
https://example.com/screenshot.png |
| action_result.data.*.tags | string | phishing, brand_protection | |
| action_result.data.*.entity_content | string | {"ip": "127.0.0.0"} | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Update an existing Doppel alert's queue state, entity state, comment or tag.
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | optional | Alert ID | string | |
| entity | optional | Entity | string | |
| queue_state | optional | New queue state | string | |
| entity_state | optional | New entity state | string | |
| comment | optional | Comment to add | string | |
| tag_action | optional | add/remove | string | |
| tag_name | optional | Tag name | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.id | string | ||
| action_result.parameter.entity | string | ||
| action_result.parameter.queue_state | string | ||
| action_result.parameter.entity_state | string | ||
| action_result.parameter.comment | string | ||
| action_result.parameter.tag_action | string | ||
| action_result.parameter.tag_name | string | ||
| action_result.data.*.id | string | TST-123 | |
| action_result.data.*.entity | string | example.com | |
| action_result.data.*.severity | string | high medium | |
| action_result.data.*.queue_state | string | doppel_review | |
| action_result.data.*.entity_state | string | active down | |
| action_result.data.*.doppel_link | string | url |
https://app.doppel.com/alert/TST-123 |
| action_result.data.*.brand | string | test_brand | |
| action_result.data.*.product | string | domains | |
| action_result.data.*.platform | string | domain | |
| action_result.data.*.source | string | API Upload | |
| action_result.data.*.created_at | string | timestamp |
2025-04-10T12:00:00Z |
| action_result.data.*.last_activity_timestamp | string | timestamp |
2025-04-15T10:30:00Z |
| action_result.data.*.score | numeric | 0.5 | |
| action_result.data.*.screenshot_url | string | url |
https://example.com/screenshot.png |
| action_result.data.*.tags | string | phishing, brand_protection | |
| action_result.data.*.entity_content | string | {"ip": "127.0.0.0"} | |
| action_result.data.*.success | boolean | True False | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
on poll
Type: ingest
Read only: True
Callback action for the on_poll ingest functionality
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| start_time | optional | Start of time range, in epoch time (milliseconds). | numeric | |
| end_time | optional | End of time range, in epoch time (milliseconds). | numeric | |
| container_count | optional | Maximum number of container records to query for. | numeric | |
| artifact_count | optional | Maximum number of artifact records to query for. | numeric | |
| container_id | optional | Comma-separated list of container IDs to limit the ingestion to. | string |
No Output
Auto-generated Splunk SOAR Connector documentation.
Copyright 2026 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.