SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
status: Available
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
query: |
SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarUnsyncedClosedIncident.yaml
tactics:
- Discovery
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
requiredDataConnectors: []
kind: Scheduled
relevantTechniques:
- T1526
description: |
'Detects Microsoft Sentinel incidents tagged as SOCRadar that were closed more than 30 minutes ago but do not have the Synced tag. This may indicate the SOCRadar-Alarm-Sync playbook has failed to update the SOCRadar platform with the closure status.'
name: SOCRadar Unsynced Closed Incident
version: 1.0.0
id: 6e2f8d4b-5a71-4c9e-b3f6-8a1c9d4e7b2a
severity: Low
