SOCRadar-Alarm-Sync
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Syncs closed incidents from Microsoft Sentinel back to SOCRadar platform. Uses Synced tag to prevent duplicate syncs. Filters by: SOCRadar tag + Closed status + lastModified. Now with pagination for 1000+ incidents.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | SOCRadar |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 1 Logic App connector / built-in action:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
http |
Built-in | 0 | 4 |
Action parameters (URLs, paths, function IDs)
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Query_Closed_Page | GET | @variables('closed_next_link') |
— |
| Update_SOCRadar_Status | POST | https://platform.socradar.com/api/company/@{parameters('CompanyId')}/alarms/status/change |
— |
| Update_SOCRadar_Severity | POST | https://platform.socradar.com/api/company/@{parameters('CompanyId')}/alarm/severity |
— |
| Add_Synced_Tag | PUT | [concat(variables('_managementBaseUrl'), 'subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('WorkspaceResourceGroup'), '/providers/Microsoft.OperationalInsights/workspaces/', parameters('WorkspaceName'), '/providers/Microsoft.SecurityInsights/incidents/@{items(''For_Each_Incident'')?[''name'']}?api-version=2023-11-01')] |
— |
Additional Documentation
📄 Source: SOCRadar-Alarm-Sync/readme.md
SOCRadar Alarm Sync
Syncs closed Microsoft Sentinel incidents back to SOCRadar with classification mapping.
Features
- Monitors recently closed SOCRadar-tagged incidents
- Maps Microsoft Sentinel classification to SOCRadar status
- Synced tag prevents duplicate sync operations
- Configurable polling interval
Classification Mapping
| Microsoft Sentinel Classification | SOCRadar Status |
|---|---|
| FalsePositive | FALSE_POSITIVE |
| BenignPositive | MITIGATED |
| TruePositive | RESOLVED |
| Undetermined | RESOLVED |
Deployment
You can also install this playbook via Microsoft Sentinel Content Hub.
Prerequisites
- SOCRadar XTI Platform API Key
- Microsoft Sentinel workspace with SOCRadar incidents
- Managed Identity with Microsoft Sentinel Responder role (default, Contributor optional)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊