SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
id: 6e2f8d4b-5a71-4c9e-b3f6-8a1c9d4e7b2a
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOCRadar/Analytic Rules/SOCRadarUnsyncedClosedIncident.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
entityType: Account
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1d
status: Available
query: |
SecurityIncident
| where Labels has "SOCRadar"
| where Status == "Closed"
| where LastModifiedTime < ago(30m)
| where not(Labels has "Synced")
| extend AlarmId = extract(@"#(\d+)", 1, Title)
| extend AccountName = AlarmId
| project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
name: SOCRadar Unsynced Closed Incident
kind: Scheduled
tactics:
- Discovery
severity: Low
relevantTechniques:
- T1526
triggerThreshold: 0
version: 1.0.0
description: |
'Detects Microsoft Sentinel incidents tagged as SOCRadar that were closed more than 30 minutes ago but do not have the Synced tag. This may indicate the SOCRadar-Alarm-Sync playbook has failed to update the SOCRadar platform with the closure status.'
