SOCRadar-Alarm-Sync
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Syncs closed incidents from Microsoft Sentinel back to SOCRadar platform. Uses Synced tag to prevent duplicate syncs. Filters by: SOCRadar tag + Closed status + lastModified. Now with pagination for 1000+ incidents.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SOCRadar |
| Source | View on GitHub |
Additional Documentation
📄 Source: SOCRadar-Alarm-Sync/readme.md
SOCRadar Alarm Sync
Syncs closed Microsoft Sentinel incidents back to SOCRadar with classification mapping.
Features
- Monitors recently closed SOCRadar-tagged incidents
- Maps Microsoft Sentinel classification to SOCRadar status
- Synced tag prevents duplicate sync operations
- Configurable polling interval
Classification Mapping
| Microsoft Sentinel Classification | SOCRadar Status |
|---|---|
| FalsePositive | FALSE_POSITIVE |
| BenignPositive | MITIGATED |
| TruePositive | RESOLVED |
| Undetermined | RESOLVED |
Deployment
You can also install this playbook via Microsoft Sentinel Content Hub.
Prerequisites
- SOCRadar XTI Platform API Key
- Microsoft Sentinel workspace with SOCRadar incidents
- Managed Identity with Microsoft Sentinel Responder role (default, Contributor optional)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊