SOCRadar-Solution

Author: Radargoger

Solutions/SOCRadar/Data/Solution_SOCRadar.json

@@ -0,0 +1,25 @@
+{
+  "Name": "SOCRadar",
+  "Author": "SOCRadar - integration@socradar.io",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SOCRadar/logo/socradar.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The SOCRadar solution for Microsoft Sentinel provides bidirectional integration between SOCRadar XTI Platform and Microsoft Sentinel. Import alarms as incidents, sync closed incidents back to SOCRadar with classification mapping.",
+  "Version": "3.0.0",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SOCRadar",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "Metadata": "SolutionMetadata.json",
+  "Workbooks": [
+    "Workbooks/SOCRadar-Dashboard.json"
+  ],
+  "Hunting Queries": [
+    "Hunting Queries/SOCRadar-Alarm-Overview.yaml",
+    "Hunting Queries/SOCRadar-Critical-Alarms.yaml",
+    "Hunting Queries/SOCRadar-Alarm-Trends.yaml",
+    "Hunting Queries/SOCRadar-Incident-Correlation.yaml",
+    "Hunting Queries/SOCRadar-Audit-Analysis.yaml"
+  ],
+  "Playbooks": [
+    "Playbooks/SOCRadar-Alarm-Import/azuredeploy.json",
+    "Playbooks/SOCRadar-Alarm-Sync/azuredeploy.json"
+  ]
+}

Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Overview.yaml

@@ -0,0 +1,15 @@
+id: 12a3dfda-ab80-4664-aed9-7f6f9f3b4a23
+name: SOCRadar Alarm Overview
+description: |
+  'Overview of SOCRadar alarms imported into Microsoft Sentinel, grouped by type and severity.'
+description-detailed: |
+  'This query provides a summary view of all SOCRadar alarms imported into Microsoft Sentinel.
+  It groups alarms by their main type and severity level to help analysts identify the most common and critical threat categories.'
+requiredDataConnectors: []
+tactics:
+  - Discovery
+query: |
+  SOCRadar_Alarms_CL
+  | summarize Count=count() by AlarmMainType, Severity
+  | order by Count desc
+version: 1.0.0

Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Trends.yaml

@@ -0,0 +1,16 @@
+id: bbafd1c6-8da9-4de3-b100-6964dedd3f3e
+name: SOCRadar Alarm Trends
+description: |
+  'Analyze SOCRadar alarm trends over the past 7 days to identify patterns and spikes.'
+description-detailed: |
+  'This query analyzes SOCRadar alarm volume over time, grouped by hour and alarm type.
+  Use this to detect unusual spikes in specific alarm categories that may indicate an active campaign or emerging threat.'
+requiredDataConnectors: []
+tactics:
+  - Discovery
+query: |
+  SOCRadar_Alarms_CL
+  | where TimeGenerated > ago(7d)
+  | summarize Count=count() by bin(TimeGenerated, 1h), AlarmMainType
+  | order by TimeGenerated desc
+version: 1.0.0

Solutions/SOCRadar/Hunting Queries/SOCRadar-Audit-Analysis.yaml

@@ -0,0 +1,15 @@
+id: afae44e5-e2e2-4f0e-9535-2aeb3766a847
+name: SOCRadar Audit Analysis
+description: |
+  'Analyze SOCRadar audit logs to monitor import and sync operations.'
+description-detailed: |
+  'This query summarizes SOCRadar audit log events by type to help monitor the health of import and sync operations.
+  Use this to detect errors or unexpected patterns in the integration workflow.'
+requiredDataConnectors: []
+tactics:
+  - Discovery
+query: |
+  SOCRadarAuditLog_CL
+  | summarize Count=count() by EventType
+  | order by Count desc
+version: 1.0.0

Solutions/SOCRadar/Hunting Queries/SOCRadar-Critical-Alarms.yaml

@@ -0,0 +1,16 @@
+id: ffa80945-44de-4900-bda5-9f1410c60166
+name: SOCRadar Critical Alarms
+description: |
+  'Hunt for high and critical severity SOCRadar alarms that may require immediate attention.'
+description-detailed: |
+  'This query filters SOCRadar alarms to show only High and Critical severity items.
+  Use this to prioritize investigation of the most impactful threats detected by SOCRadar XTI platform.'
+requiredDataConnectors: []
+tactics:
+  - Impact
+query: |
+  SOCRadar_Alarms_CL
+  | where Severity in ("High", "Critical")
+  | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status
+  | order by TimeGenerated desc
+version: 1.0.0

Solutions/SOCRadar/Hunting Queries/SOCRadar-Incident-Correlation.yaml

@@ -0,0 +1,16 @@
+id: 3a665ce4-b824-4a79-861b-c9f80ab4daba
+name: SOCRadar Incident Correlation
+description: |
+  'Correlate SOCRadar alarms with Sentinel incidents to track import status and identify gaps.'
+description-detailed: |
+  'This query examines Microsoft Sentinel incidents tagged with SOCRadar label to provide a summary of incident status and classification.
+  Use this to verify that imported alarms are being properly triaged and to identify any gaps in the sync process.'
+requiredDataConnectors: []
+tactics:
+  - Discovery
+query: |
+  SecurityIncident
+  | where Labels has "SOCRadar"
+  | summarize Count=count() by Status, Classification
+  | order by Count desc
+version: 1.0.0

Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Import/azuredeploy.json

@@ -0,0 +1,23 @@
+# SOCRadar Alarm Import
+
+Imports SOCRadar XTI platform alarms into Microsoft Sentinel as incidents.
+
+## Features
+
+- Paginated alarm fetching (100 per page)
+- Duplicate detection via Sentinel API
+- Severity and status mapping
+- Optional closed alarm import with classification
+- Automatic tagging (SOCRadar, alarm type, sub type)
+- Field truncation for large alarms
+- Optional audit logging
+
+## Prerequisites
+
+- SOCRadar XTI Platform API Key
+- Microsoft Sentinel workspace
+- Managed Identity with Sentinel Contributor role
+
+## Deployment
+
+Deploy via the main SOCRadar solution or standalone using the Deploy to Azure button in the main repository.