SOCRadar-Alarm-Import
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Imports alarms from SOCRadar with optional audit logging and custom table storage. Supports all statuses or OPEN only.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SOCRadar |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 2 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 0 | 1 |
http |
Built-in | 0 | 6 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_New_Incident | put | [concat('/Incidents/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('WorkspaceResourceGroup'), '/workspaces/', parameters('WorkspaceName'))] |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Query_Existing_SOCRadar_Incidents | GET | [concat(variables('_managementBaseUrl'), 'subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('WorkspaceResourceGroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('WorkspaceName'), '/providers/Microsoft.SecurityInsights/incidents?api-version=2023-11-01&$top=1&$filter=startswith(properties/title, ''[SOCRadar]'')')] |
— |
| Get_SOCRadar_Page | GET | https://platform.socradar.com/api/company/@{parameters('CompanyId')}/incidents/v4 |
— |
| Query_Incidents_Page | GET | @variables('incidents_next_link') |
— |
| Create_Closed_Incident | PUT | @{concat(parameters('ManagementBaseUrl'), '/subscriptions/', parameters('SubscriptionId'), '/resourceGroups/', parameters('ResourceGroupName'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('WorkspaceName'), '/providers/Microsoft.SecurityInsights/incidents/', guid(), '?api-version=2023-11-01')} |
— |
| Log_Audit_Event | POST | @{concat(parameters('AuditDcrEndpoint'), '/dataCollectionRules/', parameters('AuditDcrImmutableId'), '/streams/', parameters('AuditStreamName'), '?api-version=2023-01-01')} |
— |
| Ingest_To_Custom_Table | POST | @{concat(parameters('DceEndpoint'), '/dataCollectionRules/', parameters('AlarmsDcrImmutableId'), '/streams/', parameters('AlarmsStreamName'), '?api-version=2023-01-01')} |
— |
Additional Documentation
📄 Source: SOCRadar-Alarm-Import/readme.md
SOCRadar Alarm Import
Imports SOCRadar XTI platform alarms into Microsoft Sentinel as incidents.
Deploying this playbook also provisions the Data Collection Endpoint, the SOCRadar_Alarms_CL and SOCRadarAuditLog_CL custom log tables, the associated Data Collection Rules, and the role assignments required by the Logic App's managed identity. No separate infrastructure deployment is needed.
Features
- Paginated alarm fetching (100 per page)
- Duplicate detection via Microsoft Sentinel API
- Severity and status mapping
- Optional closed alarm import with classification
- Automatic tagging (SOCRadar, alarm type, sub type)
- Field truncation for large alarms
- Optional audit logging
Prerequisites
- SOCRadar XTI Platform API Key
- Microsoft Sentinel workspace
- Managed Identity with Microsoft Sentinel Responder role (default, Contributor optional)
Deployment
You can also install this playbook via Microsoft Sentinel Content Hub.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊