Bidirectional integration between SOCRadar XTI Platform and Microsoft Sentinel.
- Microsoft Sentinel workspace
- SOCRadar API Key
| Parameter | Description |
|---|---|
WorkspaceName |
Your Sentinel workspace name (e.g., my-sentinel-workspace, NOT the Workspace ID/GUID) |
WorkspaceLocation |
Region of your workspace (e.g., centralus, northeurope) |
SocradarApiKey |
Your SOCRadar API key |
CompanyId |
Your SOCRadar company ID |
Note: You can find your Workspace Name in Azure Portal > Log Analytics workspaces > your workspace > Overview > "Name" field.
| Parameter | Default | Description |
|---|---|---|
WorkspaceResourceGroup |
(same as deployment RG) | Set if your workspace is in a different resource group |
SentinelRoleLevel |
Responder | Sentinel role for Logic Apps (see Role Selection) |
PollingIntervalMinutes |
5 | How often to check for alarms (1-60 min) |
InitialLookbackMinutes |
600 | First run lookback (default: 10 hours) |
EnableAuditLogging |
true | Log operations to Log Analytics |
EnableAlarmsTable |
true | Store alarms in SOCRadar_Alarms_CL table for analytics |
EnableWorkbook |
true | Deploy SOCRadar Analytics Dashboard |
TableRetentionDays |
365 | Data retention (30-730 days) |
- SOCRadar-Alarm-Import - Imports alarms from SOCRadar as Sentinel incidents
- SOCRadar-Alarm-Sync - Syncs closed incidents back to SOCRadar
- SOCRadar_Alarms_CL - Custom table for alarm analytics (if EnableAlarmsTable=true)
- SOCRadar Analytics Dashboard - Workbook with charts and tables (if EnableWorkbook=true)
- SOCRadarAuditLog_CL - Audit log table (if EnableAuditLogging=true)
- Data Collection Endpoint & Rules - For data ingestion
Alarm Import
- Automatically imports SOCRadar alarms as Sentinel incidents
- Severity and status mapping
- Duplicate prevention
- Tags for categorization
Bidirectional Sync
- Closed incidents in Sentinel update alarm status in SOCRadar
- Classification mapping: TruePositive to Resolved, FalsePositive to False Positive
Audit Logging
- Full alarm JSON stored in Log Analytics
- Query with KQL for reporting
Analytics Dashboard
- Severity and status distribution charts
- Alarm timeline visualization
- Top alarm types bar chart
- Recent alarms table
KQL Queries
- See
socradar-kql-queries.kqlfor 24 ready-to-use queries including:- Alarm overview and trends
- Incident correlation
- Audit log analysis
- Alert rules for scheduled analytics
The template assigns a Sentinel role to Logic App managed identities. Two options are available:
| Role | Permissions | Use Case |
|---|---|---|
| Responder (default) | Create, update, close, classify incidents | Sufficient for this integration |
| Contributor | All Responder permissions + delete incidents, manage analytics rules, settings | Required if your environment has custom automation rules that depend on Contributor-level access |
The default is Responder, following the least-privilege principle. If your organization's automation rules or policies require Contributor-level access for integrations, set SentinelRoleLevel to Contributor during deployment.
- If your workspace is in a different region, set
WorkspaceLocationto match your workspace region. - If your workspace is in a different resource group, set
WorkspaceResourceGroup. Custom tables, workbook, and audit logging require same-RG deployment.
Logic Apps are configured to start 3 minutes after deployment to allow Azure role propagation.
No manual action required - they will start automatically.
SOCRadar is an Extended Threat Intelligence (XTI) platform that provides actionable threat intelligence, digital risk protection, and external attack surface management.
Learn more at socradar.io
- Documentation: docs.socradar.io
- Support: support@socradar.io