Integrations
      Back to home
      1. Knowledge Base
      2. Cydarm Administration
      3. Integrations

      Automatically closing Azure Sentinel incidents from Cydarm cases

      This article shows you how to configure Cydarm to automatically close Azure Sentinel incidents when their corresponding Cydarm cases are closed.

      Overview

      To automatically close Azure Sentinel incidents when corresponding cases are closed in Cydarm, modifications will need to be made to your existing Logic App and setting up a Sentinel Incident Closer connector. 

      Prerequisites

      Step 1: Modify your existing Logic App

      You need to update the Create Cydarm Case step in your Logic App to include additional metadata fields required for incident closure.

      Update the case creation body

      In Step 5 (from Creating Cydarm Cases from Azure Sentinel Incidents using Logic Apps): Create Cydarm Case from the original guide, modify the body to include these additional metadata fields:

      {
        "description": "[Dynamic content: Trigger body → object → properties → title]",
        "metadata": {
          "MS Sentinel Incident ID": {
            "value": "[Dynamic content: Trigger body → object → name]"
          },
          "Azure Tenant ID": {
            "value": "your-tenant-id-here"
          },
          "Azure Subscription ID": {
            "value": "[Dynamic content: Trigger body → workspaceInfo → subscriptionId]"
          },
          "Origin URL": {
            "value": "[Dynamic content: Trigger body → object → properties → incidentUrl]"
          }
        }
      }

      Locating Dynamic Content Fields

      For MS Sentinel incident ID:

      • Search for "ARM Name" in dynamic content

      • Select the field ARM Name of the Incident (GUID)

      For Azure tenant ID:

      • This information is not available in the Sentinel incident trigger

      • Hard-code your Azure tenant ID directly in the JSON

      For Azure subscription ID:

      • Search for "subscription" in dynamic content

      • Select Incident Workspace Subscription ID

      • Full path: triggerBody()['workspaceInfo']['subscriptionId']

      Step 2: Create Azure service principal

      Set up service principal in Azure

      1. Navigate to Azure Active DirectoryApp registrations

      2. Click New registration

      3. Provide a name (e.g., "Cydarm-Sentinel-Closer")

      4. Register the application

      5. Note the Application (client) ID and Directory (tenant) ID

      Create client secret

      1. In your app registration, go to Certificates & secrets

      2. Click New client secret

      3. Set expiration period and description

      4. Copy the secret Value (not the ID)

      Assign permissions to service principal

      • SecurityAlert.ReadWrite.All

      • SecurityEvents.Read.All

      • SecurityAlert.Read.All

      • SecurityEvents.ReadWrite.All

      • SecurityIncident.Read.All

      • SecurityIncident.ReadWrite.All

      • User.Read

      Step 3: Configure Cydarm Sentinel incident closer connector

      Create the connector

      1. In Cydarm, navigate to AdminConnectors

      2. Click Add Connector

      3. Configure the following settings:

      Basic configuration:

      • Connector Type: Microsoft Sentinel Incidents

      • Name: Sentinel Incident Closer

      • Description: Automatically closes Azure Sentinel incidents when Cydarm cases are closed

      Authentication settings:

      • Client ID: Application (client) ID from your service principal

      • Client Secret: Client secret value from Azure

      • Tenant ID: Your Azure tenant ID

      Alternative authentication (certificate-based)

      If you prefer certificate authentication over client secrets:

      1. Generate a certificate and upload the public key to your Azure service principal

      2. In the Cydarm connector, check the box for “Use Certificate Authentication” and paste in:

        • Public Key: Certificate public key

        • Private Key: Certificate private key

      Azure configuration:

      • Subscription ID: Your Azure subscription ID

      • Workspace Name: Name of your Sentinel workspace

      • Resource Group Name: Resource group containing your Sentinel workspace

      Connector options:

      • Close Cases: Must be enabled for incident closure

      • Activate Polling: Do NOT enable (we're using Logic Apps for case creation)

      • Organization: Select appropriate organization if using multi-tenant Cydarm

      Step 4: Test the integration

      Create and process a test incident

      1. In Azure Sentinel, create a new incident manually

      2. Run your Logic App playbook on the incident:

        • Open the incident

        • Click ActionsRun playbook

        • Select your Logic App

      Verify case creation

      1. Check Cydarm case list for the new case

      2. Verify the case contains all required metadata:

        • Microsoft Sentinel incident ID

        • Azure tenant ID

        • Azure subscription ID

        • Origin URL

      3. Confirm case status shows as New

      Test incident closure

      1. In Cydarm, open the case

      2. Change status to Analysis then Closure

      3. Return to Azure Sentinel and refresh the incidents list

      4. Verify the incident status changed to Closed

      5. Refresh again - closed incidents disappear from the default view

      Troubleshooting

      Incident doesn't close automatically:

      • Verify service principal has required roles

      • Check that Close Cases is enabled in the connector

      • Ensure all metadata fields are correctly populated in the case

      Authentication errors:

      • Verify client ID and tenant ID are correct

      • Check that client secret hasn't expired

      • Ensure service principal has proper permissions on the Sentinel workspace

      Missing metadata fields:

      • Check that the required metadata field names exist in Cydarm settings

      • Review the Logic App run history to confirm all fields are being populated

      • Check dynamic content mappings are pointing to correct trigger body properties

      Unexpected case creation or no case creation:

      • Ensure Activate Polling is disabled in the connector

      • Verify the original Logic App is working correctly per the first guide

      Important Notes

      • Do not enable polling: The connector should only close cases, not create them

      • Metadata is required: All four metadata fields (incident ID, tenant ID, subscription ID, origin URL) must be present for closure to work

      • Status synchronization: Case status changes in Cydarm will automatically reflect in Sentinel

      • Bidirectional sync: This creates a complete bidirectional integration between Cydarm and Azure Sentinel

      The integration now provides complete lifecycle management, allowing you to create cases from Sentinel incidents and automatically close the original incidents when case investigation is complete in Cydarm. 

      {
        "description": "[Dynamic content: Trigger body → object → properties → title]",
        "metadata": {
          "MS Sentinel Incident ID": {
            "value": "[Dynamic content: Trigger body → object → name]"
          },
          "Azure Tenant ID": {
            "value": "your-tenant-id-here"
          },
          "Azure Subscription ID": {
            "value": "[Dynamic content: Trigger body → workspaceInfo → subscriptionId]"
          },
          "Origin URL": {
            "value": "[Dynamic content: Trigger body → object → properties → incidentUrl]"
          }
        }
      }
       


      For more detailed technical information please refer to our Cydarm API documentation.