⚠️ SOCRadar

⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	SOCRadar
Support Tier	Partner
Support Link	https://github.com/Radargoger/azure-one-click-documentations/blob/main/azureincidents.md
Categories	domains
Version	3.0.0
Author	SOCRadar - integration@socradar.io
First Published	2026-02-08
Last Updated	2026-04-19
Solution Folder	SOCRadar

The SOCRadar solution for Microsoft Sentinel provides bidirectional integration between SOCRadar XTI Platform and Microsoft Sentinel. Import alarms as incidents, sync closed incidents back to SOCRadar with classification mapping.

Contents

• Data Connectors
• Tables Used
• Content Items
• Additional Documentation

Data Connectors

This solution does not include data connectors.

This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.

Tables Used

This solution queries 2 table(s) from its content items:

Table	Used By Content
SOCRadarAuditLog_CL	Hunting, Workbooks
SOCRadar_Alarms_CL	Analytics, Hunting, Workbooks

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Content
SecurityIncident	Analytics, Hunting

Content Items

This solution includes 11 content item(s):

Content Type	Count
Hunting Queries	5
Analytic Rules	3
Playbooks	2
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
SOCRadar Alarm Volume Spike	Medium	Impact, Exfiltration	SOCRadar_Alarms_CL
SOCRadar High or Critical Severity Alarm	High	Reconnaissance, InitialAccess	SOCRadar_Alarms_CL
SOCRadar Unsynced Closed Incident	Low	Discovery	Internal use: SecurityIncident

Hunting Queries

Name	Tactics	Tables Used
SOCRadar Alarm Overview	Discovery	SOCRadar_Alarms_CL
SOCRadar Alarm Trends	Discovery	SOCRadar_Alarms_CL
SOCRadar Audit Analysis	Discovery	SOCRadarAuditLog_CL
SOCRadar Critical Alarms	Impact	SOCRadar_Alarms_CL
SOCRadar Incident Correlation	Discovery	Internal use: SecurityIncident

Workbooks

Name	Tables Used
SOCRadar-Dashboard	SOCRadarAuditLog_CL SOCRadar_Alarms_CL

Playbooks

Name	Description	Tables Used
SOCRadar-Alarm-Import	Imports alarms from SOCRadar with optional audit logging and custom table storage. Supports all stat...	-
SOCRadar-Alarm-Sync	Syncs closed incidents from Microsoft Sentinel back to SOCRadar platform. Uses Synced tag to prevent...	-

Additional Documentation

📄 Source: SOCRadar/README.md

SOCRadar Intelligence for Microsoft Sentinel

Overview

The SOCRadar solution for Microsoft Sentinel provides bidirectional integration between SOCRadar XTI Platform and Microsoft Sentinel. Import SOCRadar alarms as Microsoft Sentinel incidents and sync closed incidents back to SOCRadar with classification mapping.

Architecture

flowchart LR
    subgraph EXT["SOCRadar Platform"]
        API["platform.socradar.com<br/><br/>GET /incidents/v4<br/>POST /alarms/status/change<br/>POST /alarm/severity<br/><br/>Auth: API-Key header"]
    end

    subgraph LA["Azure Logic Apps"]
        direction TB
        Import["SOCRadar-Alarm-Import<br/>Recurrence: 5 min<br/>Pagination · Dedup<br/>OPEN-only filter<br/>3-tag labeling"]
        Sync["SOCRadar-Alarm-Sync<br/>Recurrence: 5 min<br/>Classification mapping<br/>Synced-tag tracking"]
    end

    subgraph SEN["Microsoft Sentinel"]
        direction TB
        Inc["Incidents<br/>Labels: SOCRadar + type +<br/>subtype + Synced"]
        HQ["Hunting Queries (5)"]
        AR["Analytic Rules (3)"]
        WB["SOCRadar Dashboard<br/>Workbook"]
    end

    subgraph LAW["Log Analytics"]
        direction TB
        DCE["Data Collection<br/>Endpoint"]
        DCRA["Alarms DCR"]
        DCRB["Audit DCR"]
        Alarms[("SOCRadar_Alarms_CL")]
        Audit[("SOCRadarAuditLog_CL")]
    end

    API -->|GET alarms| Import
    Import -->|PUT incidents<br/>Managed Identity| Inc
    Import -->|provisions + writes| DCE
    DCE --> DCRA --> Alarms
    DCE --> DCRB --> Audit

    Inc -->|closed incidents| Sync
    Sync -->|POST status + severity| API
    Sync -->|PUT Synced tag| Inc

    Inc -.-> HQ
    Inc -.-> AR
    Alarms -.-> HQ
    Alarms -.-> WB
    Audit -.-> HQ

    classDef ext fill:#dae8fc,stroke:#6c8ebf,color:#000
    classDef logic fill:#fff2cc,stroke:#d6b656,color:#000
    classDef sentinel fill:#d5e8d4,stroke:#82b366,color:#000
    classDef law fill:#f8cecc,stroke:#b85450,color:#000
    class API ext
    class Import,Sync logic
    class Inc,HQ,AR,WB sentinel
    class DCE,DCRA,DCRB,Alarms,Audit law

Key Features

Alarm Import - Automatically imports SOCRadar alarms as Microsoft Sentinel incidents - Paginated fetching with duplicate prevention - Severity and status mapping - Tags for categorization (SOCRadar, alarm type, sub type) - Optional closed alarm import with classification

Bidirectional Sync - Closed incidents in Microsoft Sentinel update alarm status in SOCRadar - Classification mapping: TruePositive to Resolved, FalsePositive to False Positive, BenignPositive to Mitigated

Analytics - SOCRadar Dashboard workbook with severity, status, and timeline charts - 5 hunting queries for alarm analysis and correlation - Optional audit logging for operational monitoring

Prerequisites

• Microsoft Sentinel workspace

[Content truncated...]

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	26-02-2026	Initial release.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index