Quick Start

Connect PocketSOC securely

Choose how you want to use PocketSOC. Teams connect through the portal; individuals connect directly from the app.

1

Create API credentials

Prefer per-user clients so actions stay attributable and easy to revoke.

CrowdStrike Falcon
  • Falcon Console → API Clients & Keys → Create OAuth2 API Client
  • Scopes: Alerts (read/write), Hosts (read/write), User Mgmt (read)
  • Copy Client ID and Client Secret
Defender for Endpoint
  • Azure Portal → App registrations → New registration
  • Select Application or Delegated permissions
  • Assign Alert.ReadWrite.All and Machine.ReadWrite.All; grant admin consent
  • Create client secret; capture Tenant ID, Client ID, Client Secret
Defender for Cloud
  • Azure Portal → App registrations → New registration
  • Add user_impersonation (Delegated) or assign Security Reader/Admin RBAC role
  • Capture Tenant ID, Client ID, Subscription ID
  • Create client secret if using App permissions
AWS GuardDuty
  • AWS Console → IAM → Users → Create user (PocketSOC)
  • Attach AmazonGuardDutyReadOnlyAccess policy
  • Create access key; copy Access Key ID and Secret Access Key
  • Note the AWS region where GuardDuty is enabled
2

Configure in the portal

Go to portal.pocketsoc.com → Settings → Vendor Configurations → Add Configuration. Select your vendor and enter the credentials from Step 1.

CrowdStrike Base URL (cloud region), Client ID, Client Secret
Defender for Endpoint Tenant ID, Client ID, Client Secret (if App permissions)
Defender for Cloud Tenant ID, Subscription ID, Application ID, Client Secret (if App permissions)
AWS GuardDuty AWS Region, Access Key ID, Secret Access Key

The app automatically pulls configurations assigned to your user.

Revoke credentials in your vendor console anytime No personal access tokens
3

Enable push notifications

Optional but recommended for fast triage.

  • CrowdStrike: copy your PocketSOC webhook URL from Portal Settings; configure Falcon notification forwarding
  • Defender for Endpoint: forward alerts via Sentinel Analytics rule or a Logic App to your PocketSOC webhook URL
  • Defender for Cloud: set up an Azure Logic App + Workflow Automation to forward alerts. See setup guide
  • AWS GuardDuty: create an EventBridge rule to forward findings. See setup guide

Use Demo Mode anytime

Evaluate without touching a real tenant.

  • Toggle Demo Mode on the Sign In screen
  • Uses mock data only; no external calls
  • Turn off anytime from Settings

Download the app to get started:

Download on the App Store Get it on Google Play