Creating Cydarm cases from Azure Sentinel incidents using Logic Apps

Overview

When you have an incident in Azure Sentinel, this Logic App will automatically create a corresponding case in Cydarm with all the incident information attached as a JSON file. The case will include metadata linking back to the original Sentinel incident.

Prerequisites

• Azure Sentinel workspace with incidents

• Cydarm instance with API access

• Azure subscription with permissions to create Logic Apps and Key Vaults

• Service account credentials for Cydarm API access

Step 1: Create Azure key vault and store credentials

Set up Key Vault

1. Create a new Azure Key Vault in your subscription

2. Navigate to Access control (IAM) in your Key Vault

3. Click Add → Add role assignment

4. Assign yourself the Key Vault Secrets Officer role

Store Cydarm credentials

1. In your Key Vault, go to Secrets

2. Create two secrets:

   • Username: Base64-encoded Cydarm service account username

   • Password: Base64-encoded Cydarm service account password

Note: Store credentials as base64-encoded to save a conversion step in the Logic App

Step 2: Create Logic App with managed identity

Create the Logic App

1. Create a new Logic App in Azure

2. Navigate to Settings → Identity

3. Enable System assigned managed identity by switching status to On

4. Copy the Object (principal) ID - you'll need this for Key Vault permissions

Grant Key Vault access to Logic App

1. Return to your Key Vault

2. Go to Access control (IAM)

3. Click Add → Add role assignment

4. Assign the Key Vault Secrets User role to your Logic App's managed identity

Step 3: Build the Logic App workflow

The workflow consists of six steps:

Step 1: Microsoft Sentinel Incident Trigger

• Add the Microsoft Sentinel incident trigger

• This creates a placeholder that receives incident data when the playbook runs

Step 2: Get encoded username

1. Add Azure Key Vault → Get secret action

2. Connect to your Key Vault

3. Enter the secret name for your username

Step 3: Get encoded password

1. Add another Azure Key Vault → Get secret action

2. Use the same Key Vault connection

3. Enter the secret name for your password

Step 4: Authenticate to Cydarm API

1. Add HTTP action (not HTTP Webhook)

2. Configure:

   • Method: POST

   • URI: https://your-cydarm-instance.com/cydarm-api/auth/password

   • Headers: None (we're not authenticated yet)

   • Body:

{
  "username": "[Dynamic content: Get encoded username → value]",
  "password": "[Dynamic content: Get encoded password → value]"
}

Step 5: Create Cydarm case

1. Add HTTP action

2. Configure:

   • Method: POST

   • URI: https://your-cydarm-instance.com/cydarm-api/case

   • Headers:

     • X-Cydarm-Authz: [Dynamic content: Authentication → headers → access-token]

   • Body:

{
  "description": "[Dynamic content: Trigger body → object → properties → title]",
  "metadata": {
    "MS Sentinel Incident ID": {
      "value": "[Dynamic content: Trigger body → object → properties → incidentNumber]"
    },
    "Origin URL": {
      "value": "[Dynamic content: Trigger body → object → properties → incidentUrl]"
    }
  }
}

Optional: Add additional fields like org, severity, or access_control_list as needed

Step 6: Add incident data to case

1. Add HTTP action

2. Configure:

   • Method: POST

   • URI: https://your-cydarm-instance.com/cydarm-api/case/[Dynamic content: Create case → body → uuid]/data

   • Headers:

     • X-Cydarm-Authz: [Dynamic content: Authentication → headers → access-token]

   • Body:

{
  "mimetype": "application/json",
  "significance": "Comment",
  "filename": "[Dynamic content: Trigger body → object → properties → name].json",
  "data": "[Dynamic content: base64(triggerBody())]"
}

Step 4: Deploy and test

Set up Sentinel playbook