Merge pull request #13858 from Radargoger/master

SOCRadar: Add SOCRadar Solution V1.0.0

Author: v-dvedak

.script/tests/KqlvalidationsTests/CustomTables/SOCRadarAuditLog_CL.json

@@ -0,0 +1,33 @@
+{
+  "Name": "SOCRadarAuditLog_CL",
+  "Properties": [
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "EventType",
+      "Type": "String"
+    },
+    {
+      "Name": "AlarmId",
+      "Type": "String"
+    },
+    {
+      "Name": "Message",
+      "Type": "String"
+    },
+    {
+      "Name": "TenantId",
+      "Type": "String"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "Type",
+      "Type": "String"
+    }
+  ]
+}

.script/tests/KqlvalidationsTests/CustomTables/SOCRadar_Alarms_CL.json

@@ -0,0 +1,19 @@
+{
+  "Name": "SOCRadar_Alarms_CL",
+  "Properties": [
+    {"Name": "TimeGenerated", "Type": "DateTime"},
+    {"Name": "AlarmId", "Type": "String"},
+    {"Name": "CompanyId", "Type": "String"},
+    {"Name": "Title", "Type": "String"},
+    {"Name": "AlarmMainType", "Type": "String"},
+    {"Name": "AlarmSubType", "Type": "String"},
+    {"Name": "Severity", "Type": "String"},
+    {"Name": "Status", "Type": "String"},
+    {"Name": "AlarmText", "Type": "String"},
+    {"Name": "AlarmDate", "Type": "String"},
+    {"Name": "AlarmPayload", "Type": "Dynamic"},
+    {"Name": "TenantId", "Type": "String"},
+    {"Name": "SourceSystem", "Type": "String"},
+    {"Name": "Type", "Type": "String"}
+  ]
+}

Logos/socradar.svg

@@ -0,0 +1,68 @@
+[
+    {
+        "TimeGenerated": "2026-04-10T08:16:00Z",
+        "EventType": "AlarmImported",
+        "AlarmId": "50001",
+        "IncidentId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+        "AlarmType": "Credential Exposure",
+        "Status": "OPEN",
+        "Severity": "Critical",
+        "Message": "Alarm imported to Microsoft Sentinel",
+        "FullAlarmJson": {"alarm_id": 50001, "alarm_main_type": "Credential Exposure", "severity": "Critical"}
+    },
+    {
+        "TimeGenerated": "2026-04-10T09:23:00Z",
+        "EventType": "AlarmImported",
+        "AlarmId": "50002",
+        "IncidentId": "b2c3d4e5-f678-9012-bcde-f23456789012",
+        "AlarmType": "Phishing",
+        "Status": "OPEN",
+        "Severity": "High",
+        "Message": "Alarm imported to Microsoft Sentinel",
+        "FullAlarmJson": {"alarm_id": 50002, "alarm_main_type": "Phishing", "severity": "High"}
+    },
+    {
+        "TimeGenerated": "2026-04-10T10:46:30Z",
+        "EventType": "AlarmImported",
+        "AlarmId": "50003",
+        "IncidentId": "c3d4e5f6-7890-1234-cdef-345678901234",
+        "AlarmType": "Data Leakage",
+        "Status": "OPEN",
+        "Severity": "High",
+        "Message": "Alarm imported to Microsoft Sentinel",
+        "FullAlarmJson": {"alarm_id": 50003, "alarm_main_type": "Data Leakage", "severity": "High"}
+    },
+    {
+        "TimeGenerated": "2026-04-10T14:00:00Z",
+        "EventType": "AlarmSynced",
+        "AlarmId": "50001",
+        "IncidentId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
+        "AlarmType": "Credential Exposure",
+        "Status": "Closed",
+        "Severity": "Critical",
+        "Message": "Incident closed in Microsoft Sentinel, status synced to SOCRadar (FalsePositive -> 9)",
+        "FullAlarmJson": {"classification": "FalsePositive", "socradar_status": 9}
+    },
+    {
+        "TimeGenerated": "2026-04-10T14:00:05Z",
+        "EventType": "AlarmSynced",
+        "AlarmId": "50002",
+        "IncidentId": "b2c3d4e5-f678-9012-bcde-f23456789012",
+        "AlarmType": "Phishing",
+        "Status": "Closed",
+        "Severity": "High",
+        "Message": "Incident closed in Microsoft Sentinel, status synced to SOCRadar (TruePositive -> 2)",
+        "FullAlarmJson": {"classification": "TruePositive", "socradar_status": 2}
+    },
+    {
+        "TimeGenerated": "2026-04-10T15:00:00Z",
+        "EventType": "Error",
+        "AlarmId": "50004",
+        "IncidentId": "",
+        "AlarmType": "Brand Protection",
+        "Status": "OPEN",
+        "Severity": "Medium",
+        "Message": "SOCRadar API returned 429 Too Many Requests, will retry",
+        "FullAlarmJson": {"http_status": 429, "retry_after": 30}
+    }
+]

Sample Data/Custom/SOCRadarAuditLog_CL.json

@@ -0,0 +1,139 @@
+[
+    {
+        "TimeGenerated": "2026-04-10T08:15:30Z",
+        "AlarmId": "50001",
+        "CompanyId": "12345",
+        "AlarmMainType": "Credential Exposure",
+        "AlarmSubType": "Dark Web",
+        "Severity": "Critical",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50001 Credential Exposure on Dark Web",
+        "AlarmText": "Exposed credentials detected for domain example.com with 42 user accounts found on a dark web marketplace.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "source": "darkweb.example",
+            "records_count": 42,
+            "breach_name": "sanitized-breach-2026"
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T09:22:10Z",
+        "AlarmId": "50002",
+        "CompanyId": "12345",
+        "AlarmMainType": "Phishing",
+        "AlarmSubType": "Domain Squatting",
+        "Severity": "High",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50002 Phishing Domain Detected",
+        "AlarmText": "Lookalike domain example-secure.com registered, potentially targeting corporate users.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "suspicious_domain": "example-secure.com",
+            "registrar": "sanitized-registrar",
+            "registration_date": "2026-04-09"
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T10:45:55Z",
+        "AlarmId": "50003",
+        "CompanyId": "12345",
+        "AlarmMainType": "Data Leakage",
+        "AlarmSubType": "Paste Site",
+        "Severity": "High",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50003 Data Leak on Paste Site",
+        "AlarmText": "Internal source code fragments containing API keys detected on a public paste site.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "paste_url": "https://sanitized-paste.example/abc123",
+            "leaked_items": [
+                "api_key",
+                "database_string"
+            ]
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T11:30:20Z",
+        "AlarmId": "50004",
+        "CompanyId": "12345",
+        "AlarmMainType": "Brand Protection",
+        "AlarmSubType": "Social Media",
+        "Severity": "Medium",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50004 Brand Impersonation on Social Media",
+        "AlarmText": "Fake social media profile impersonating the organization with 1,200 followers.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "platform": "social-sanitized",
+            "profile_url": "https://sanitized.example/fake-profile",
+            "follower_count": 1200
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T12:10:45Z",
+        "AlarmId": "50005",
+        "CompanyId": "12345",
+        "AlarmMainType": "Attack Surface",
+        "AlarmSubType": "Certificate",
+        "Severity": "Low",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50005 SSL Certificate Expiry Warning",
+        "AlarmText": "SSL certificate for example.com expires in 14 days.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "domain": "example.com",
+            "expires_at": "2026-04-24",
+            "issuer": "sanitized-ca"
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T13:50:30Z",
+        "AlarmId": "50006",
+        "CompanyId": "12345",
+        "AlarmMainType": "Dark Web Monitoring",
+        "AlarmSubType": "Forum Mention",
+        "Severity": "Critical",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50006 Ransomware Mention on Dark Forum",
+        "AlarmText": "Ransomware group mentioned the organization as an upcoming target on a dark web forum.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "forum": "sanitized-forum",
+            "threat_actor": "sanitized-group",
+            "post_date": "2026-04-10"
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T14:25:15Z",
+        "AlarmId": "50007",
+        "CompanyId": "12345",
+        "AlarmMainType": "Attack Surface",
+        "AlarmSubType": "Exposed Service",
+        "Severity": "High",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50007 Exposed Internal Service Detected",
+        "AlarmText": "Internal database service exposed on port 5432 without authentication.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "ip": "203.0.113.10",
+            "port": 5432,
+            "service": "postgresql"
+        }
+    },
+    {
+        "TimeGenerated": "2026-04-10T15:40:00Z",
+        "AlarmId": "50008",
+        "CompanyId": "12345",
+        "AlarmMainType": "Phishing",
+        "AlarmSubType": "Lookalike Domain",
+        "Severity": "Medium",
+        "Status": "OPEN",
+        "Title": "[SOCRadar] #50008 Suspicious Domain Registration",
+        "AlarmText": "New lookalike domain examp1e.com registered with typosquatting pattern.",
+        "AlarmDate": "2026-04-10",
+        "AlarmPayload": {
+            "suspicious_domain": "examp1e.com",
+            "typosquatting_score": 0.92
+        }
+    }
+]

Sample Data/Custom/SOCRadar_Alarms_CL.json

@@ -0,0 +1,37 @@
+id: 4a7b3c9e-2d15-4e8f-b6a3-9c2e7d5a1b4f
+name: SOCRadar Alarm Volume Spike
+description: |
+  'Detects unusual spikes in SOCRadar alarm volume that may indicate an active campaign, coordinated attack, or data breach. Triggers when alarm count in the last hour exceeds the 7-day hourly average by more than 3x.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+  - Exfiltration
+relevantTechniques:
+  - T1485
+  - T1567
+query: |
+    let baseline = SOCRadar_Alarms_CL
+    | where TimeGenerated > ago(7d) and TimeGenerated < ago(1h)
+    | summarize AvgHourly = count() / 168.0;
+    let recent = SOCRadar_Alarms_CL
+    | where TimeGenerated > ago(1h)
+    | summarize RecentCount = count() by AlarmMainType;
+    recent
+    | extend BaselineAvg = toscalar(baseline)
+    | where RecentCount > (BaselineAvg * 3) and RecentCount > 5
+    | extend SpikeRatio = round(RecentCount / BaselineAvg, 2)
+    | extend timestamp = now()
+    | extend AccountName = AlarmMainType
+entityMappings:
+  - entityType: Malware
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+version: 1.0.0
+kind: Scheduled

Solutions/SOCRadar/Analytic Rules/SOCRadarAlarmVolumeSpike.yaml

@@ -0,0 +1,37 @@
+id: 8f3e2c5a-7b91-4d6a-9e8f-1c4a2b5d7e3f
+name: SOCRadar High or Critical Severity Alarm
+description: |
+  'Detects SOCRadar alarms with High or Critical severity levels that require immediate attention. These alarms typically indicate active threats such as credential exposure, ransomware mentions, or targeted attacks against the organization.'
+severity: High
+status: Available
+requiredDataConnectors: []
+queryFrequency: 15m
+queryPeriod: 15m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+  - InitialAccess
+relevantTechniques:
+  - T1589
+  - T1078
+query: |
+    SOCRadar_Alarms_CL
+    | where Severity in ("High", "Critical")
+    | where Status == "OPEN"
+    | extend AlarmUrl = strcat("https://platform.socradar.com/company/", CompanyId, "/alarms/", AlarmId)
+    | extend AccountName = tostring(AlarmId)
+    | project TimeGenerated, AlarmId, Title, AlarmMainType, AlarmSubType, Severity, Status, AlarmUrl, AccountName
+entityMappings:
+  - entityType: Malware
+    fieldMappings:
+      - identifier: Name
+        columnName: AlarmMainType
+      - identifier: Category
+        columnName: AlarmSubType
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: AlarmUrl
+version: 1.0.0
+kind: Scheduled

Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml

@@ -0,0 +1,31 @@
+id: 6e2f8d4b-5a71-4c9e-b3f6-8a1c9d4e7b2a
+name: SOCRadar Unsynced Closed Incident
+description: |
+  'Detects Microsoft Sentinel incidents tagged as SOCRadar that were closed more than 30 minutes ago but do not have the Synced tag. This may indicate the SOCRadar-Alarm-Sync playbook has failed to update the SOCRadar platform with the closure status.'
+severity: Low
+status: Available
+requiredDataConnectors: []
+queryFrequency: 1h
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+  - T1526
+query: |
+    SecurityIncident
+    | where Labels has "SOCRadar"
+    | where Status == "Closed"
+    | where LastModifiedTime < ago(30m)
+    | where not(Labels has "Synced")
+    | extend AlarmId = extract(@"#(\d+)", 1, Title)
+    | extend AccountName = AlarmId
+    | project TimeGenerated, IncidentName, Title, Status, Classification, LastModifiedTime, AlarmId, AccountName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+version: 1.0.0
+kind: Scheduled