SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
relevantTechniques:
- T1526
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
version: 1.0.0
id: 6e2f8d4b-5a71-4c9e-b3f6-8a1c9d4e7b2a
severity: Low
kind: Scheduled
queryFrequency: 1h
description: |
'Detects Microsoft Sentinel incidents tagged as SOCRadar that were closed more than 30 minutes ago but do not have the Synced tag. This may indicate the SOCRadar-Alarm-Sync playbook has failed to update the SOCRadar platform with the closure status.'
requiredDataConnectors: []
triggerOperator: gt
name: SOCRadar Unsynced Closed Incident
tactics:
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarUnsyncedClosedIncident.yaml
triggerThreshold: 0
queryPeriod: 1d
query: |
SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
status: Available
