SOCRadar XTI Platform: New Extended Threat Intelligence Solution Launches with Bidirectional Sync

What Changed

SOCRadar XTI Platform solution (v3.0.0) added to Content Hub, providing bidirectional integration between SOCRadar Extended Threat Intelligence platform and Microsoft Sentinel.

Solution Components

Data Sources & Logs

• Custom tables: SOCRadar_Alarms_CL, SOCRadarAuditLog_CL
• Data Collection Endpoint and Rules provisioned automatically
• Sample data included for validation

Detections & Hunting (8 total)

• 3 Analytic Rules: Critical/High severity alarm detection, volume spike detection, unsynced incident monitoring
• 5 Hunting Queries: Alarm overview, trends analysis, critical alarm hunting, incident correlation, audit analysis
• MITRE coverage: T1078 (Valid Accounts), T1485 (Data Destruction), T1486 (Data Encrypted for Impact), T1526 (Cloud Service Discovery), T1567 (Exfiltration Over Web Service), T1589 (Gather Victim Identity Information)

Automation & Sync

• SOCRadar-Alarm-Import playbook: Paginated alarm fetching with duplicate detection, severity/status mapping, automatic tagging
• SOCRadar-Alarm-Sync playbook: Bidirectional sync of closed incidents back to SOCRadar with classification mapping
• Both use Managed Identity for authentication

Visualization

• SOCRadar Dashboard workbook with severity, status, and timeline charts

Extended Threat Intelligence Coverage

SOCRadar XTI provides external attack surface monitoring and threat intelligence. Key alarm types monitored include:

• Credential exposure detection
• Ransomware mentions targeting the organization
• Digital risk protection alerts
• Attack surface management findings

Security Impact

Organizations gain visibility into external threats and attack surface exposure that traditional internal monitoring cannot detect. The bidirectional sync ensures threat response workflows remain synchronized between SOCRadar threat intelligence and Microsoft Sentinel incident management.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/SOCRadarAuditLog_CL.json
.script/tests/KqlvalidationsTests/CustomTables/SOCRadar_Alarms_CL.json
Logos/socradar.svg
Sample Data/Custom/SOCRadarAuditLog_CL.json
Sample Data/Custom/SOCRadar_Alarms_CL.json
Solutions/SOCRadar/Analytic Rules/SOCRadarAlarmVolumeSpike.yaml
Solutions/SOCRadar/Analytic Rules/SOCRadarCriticalAlarmDetection.yaml
Solutions/SOCRadar/Analytic Rules/SOCRadarUnsyncedClosedIncident.yaml
Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Overview.yaml
Solutions/SOCRadar/Hunting Queries/SOCRadar-Alarm-Trends.yaml
Solutions/SOCRadar/Hunting Queries/SOCRadar-Audit-Analysis.yaml
Solutions/SOCRadar/Hunting Queries/SOCRadar-Critical-Alarms.yaml
Solutions/SOCRadar/Hunting Queries/SOCRadar-Incident-Correlation.yaml
Solutions/SOCRadar/Package/testParameters.json
Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Import/azuredeploy.json
Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Import/readme.md
Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Sync/azuredeploy.json
Solutions/SOCRadar/Playbooks/SOCRadar-Alarm-Sync/readme.md
Solutions/SOCRadar/Workbooks/Images/Logos/socradar.svg
Solutions/SOCRadar/Workbooks/Images/Preview/SOCRadarDashboardBlack.png
Solutions/SOCRadar/Workbooks/Images/Preview/SOCRadarDashboardWhite.png
Solutions/SOCRadar/Workbooks/SOCRadar-Dashboard.json
Solutions/SOCRadar/logo/socradar.svg
Solutions/SOCRadar/readme.md
Workbooks/Images/Logos/socradar.svg
Workbooks/Images/Preview/SOCRadarDashboardBlack.png
Workbooks/Images/Preview/SOCRadarDashboardWhite.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_SOCRadar.json, createUiDefinition.json, mainTemplate.json)