Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Automatically closing Azure Sentinel incidents from Cydarm cases

This article shows you how to configure Cydarm to automatically close Azure Sentinel incidents when their corresponding Cydarm cases are closed.

Overview

To automatically close Azure Sentinel incidents when corresponding cases are closed in Cydarm, modifications will need to be made to your existing Logic App and setting up a Sentinel Incident Closer connector. 

Prerequisites

Step 1: Modify your existing Logic App

You need to update the Create Cydarm Case step in your Logic App to include additional metadata fields required for incident closure.

Update the case creation body

In Step 5 (from Creating Cydarm Cases from Azure Sentinel Incidents using Logic Apps): Create Cydarm Case from the original guide, modify the body to include these additional metadata fields:

{
  "description": "[Dynamic content: Trigger body → object → properties → title]",
  "metadata": {
    "MS Sentinel Incident ID": {
      "value": "[Dynamic content: Trigger body → object → name]"
    },
    "Azure Tenant ID": {
      "value": "your-tenant-id-here"
    },
    "Azure Subscription ID": {
      "value": "[Dynamic content: Trigger body → workspaceInfo → subscriptionId]"
    },
    "Origin URL": {
      "value": "[Dynamic content: Trigger body → object → properties → incidentUrl]"
    }
  }
}

Locating Dynamic Content Fields

For MS Sentinel incident ID:

  • Search for "ARM Name" in dynamic content

  • Select the field ARM Name of the Incident (GUID)

For Azure tenant ID:

  • This information is not available in the Sentinel incident trigger

  • Hard-code your Azure tenant ID directly in the JSON

For Azure subscription ID:

  • Search for "subscription" in dynamic content

  • Select Incident Workspace Subscription ID

  • Full path: triggerBody()['workspaceInfo']['subscriptionId']

Step 2: Create Azure service principal

Set up service principal in Azure

  1. Navigate to Azure Active DirectoryApp registrations

  2. Click New registration

  3. Provide a name (e.g., "Cydarm-Sentinel-Closer")

  4. Register the application

  5. Note the Application (client) ID and Directory (tenant) ID

Create client secret

  1. In your app registration, go to Certificates & secrets

  2. Click New client secret

  3. Set expiration period and description

  4. Copy the secret Value (not the ID)

Assign permissions to service principal

  • SecurityAlert.ReadWrite.All

  • SecurityEvents.Read.All

  • SecurityAlert.Read.All

  • SecurityEvents.ReadWrite.All

  • SecurityIncident.Read.All

  • SecurityIncident.ReadWrite.All

  • User.Read

Step 3: Configure Cydarm Sentinel incident closer connector

Create the connector

  1. In Cydarm, navigate to AdminConnectors

  2. Click Add Connector

  3. Configure the following settings:

Basic configuration:

  • Connector Type: Microsoft Sentinel Incidents

  • Name: Sentinel Incident Closer

  • Description: Automatically closes Azure Sentinel incidents when Cydarm cases are closed

Authentication settings:

  • Client ID: Application (client) ID from your service principal

  • Client Secret: Client secret value from Azure

  • Tenant ID: Your Azure tenant ID

Alternative authentication (certificate-based)

If you prefer certificate authentication over client secrets:

  1. Generate a certificate and upload the public key to your Azure service principal

  2. In the Cydarm connector, check the box for “Use Certificate Authentication” and paste in:

    • Public Key: Certificate public key

    • Private Key: Certificate private key

Azure configuration:

  • Subscription ID: Your Azure subscription ID

  • Workspace Name: Name of your Sentinel workspace

  • Resource Group Name: Resource group containing your Sentinel workspace

Connector options:

  • Close Cases: Must be enabled for incident closure

  • Activate Polling: Do NOT enable (we're using Logic Apps for case creation)

  • Organization: Select appropriate organization if using multi-tenant Cydarm

Step 4: Test the integration

Create and process a test incident

  1. In Azure Sentinel, create a new incident manually

  2. Run your Logic App playbook on the incident:

    • Open the incident

    • Click ActionsRun playbook

    • Select your Logic App

Verify case creation

  1. Check Cydarm case list for the new case

  2. Verify the case contains all required metadata:

    • Microsoft Sentinel incident ID

    • Azure tenant ID

    • Azure subscription ID

    • Origin URL

  3. Confirm case status shows as New

Test incident closure

  1. In Cydarm, open the case

  2. Change status to Analysis then Closure

  3. Return to Azure Sentinel and refresh the incidents list

  4. Verify the incident status changed to Closed

  5. Refresh again - closed incidents disappear from the default view

Troubleshooting

Incident doesn't close automatically:

  • Verify service principal has required roles

  • Check that Close Cases is enabled in the connector

  • Ensure all metadata fields are correctly populated in the case

Authentication errors:

  • Verify client ID and tenant ID are correct

  • Check that client secret hasn't expired

  • Ensure service principal has proper permissions on the Sentinel workspace

Missing metadata fields:

  • Check that the required metadata field names exist in Cydarm settings

  • Review the Logic App run history to confirm all fields are being populated

  • Check dynamic content mappings are pointing to correct trigger body properties

Unexpected case creation or no case creation:

  • Ensure Activate Polling is disabled in the connector

  • Verify the original Logic App is working correctly per the first guide

Important Notes

  • Do not enable polling: The connector should only close cases, not create them

  • Metadata is required: All four metadata fields (incident ID, tenant ID, subscription ID, origin URL) must be present for closure to work

  • Status synchronization: Case status changes in Cydarm will automatically reflect in Sentinel

  • Bidirectional sync: This creates a complete bidirectional integration between Cydarm and Azure Sentinel

The integration now provides complete lifecycle management, allowing you to create cases from Sentinel incidents and automatically close the original incidents when case investigation is complete in Cydarm. 

{
  "description": "[Dynamic content: Trigger body → object → properties → title]",
  "metadata": {
    "MS Sentinel Incident ID": {
      "value": "[Dynamic content: Trigger body → object → name]"
    },
    "Azure Tenant ID": {
      "value": "your-tenant-id-here"
    },
    "Azure Subscription ID": {
      "value": "[Dynamic content: Trigger body → workspaceInfo → subscriptionId]"
    },
    "Origin URL": {
      "value": "[Dynamic content: Trigger body → object → properties → incidentUrl]"
    }
  }
}
 


For more detailed technical information please refer to our Cydarm API documentation.