Microsoft Azure logo

Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM and SOAR solution built on Azure. It delivers intelligent security analytics and threat intelligence across your entire enterprise, using AI to proactively hunt for threats, detect anomalies, and automate incident response — with deep integration across Microsoft 365, Azure, and hundreds of third-party connectors.

Website Documentation

Microsoft Sentinel Integration

Enrich Sentinel incidents with compliance control mappings using a Logic Apps playbook. When an analytic rule fires, an automation rule triggers the playbook, which calls /v1/map with the incident description and posts the matched controls back as an incident comment — making compliance context visible directly in the Sentinel incident queue.

Architecture

Analytic Rule fires
        │
        ▼
Automation Rule
        │  triggers
        ▼
Logic App Playbook
  ├─ fetch API key from Key Vault
  ├─ POST /v1/map with incident description
  └─ add matched controls as incident comment
        │
        ▼
Sentinel Incident
  enriched with compliance control mappings

Step 1 — Discover Available Framework IDs

Before creating the playbook, retrieve the framework IDs you want to map against:

curl -s -H "authorization: $SECBERUS_API_KEY" \
  https://compliance.secberus.ai/v1/frameworks \
  | jq '.[] | {id, name, region}'

Sample output:

{"id": "pci_dss_v4",     "name": "PCI DSS v4.0",                       "region": "Global"}
{"id": "nist_800_53_r5", "name": "NIST SP 800-53 Rev 5",               "region": "US"}
{"id": "nist_csf_v2",    "name": "NIST Cybersecurity Framework v2.0",  "region": "US"}
{"id": "iso_27001",      "name": "ISO/IEC 27001:2022",                 "region": "Global"}
{"id": "soc2",           "name": "SOC 2 Type II",                      "region": "US"}
{"id": "aicpa_tsc",      "name": "AICPA Trust Services Criteria",      "region": "US"}

Note the IDs you need — you will hardcode them in the Logic App HTTP action body in Step 4.

Step 2 — Store the API Key in Azure Key Vault

Store your Secberus API key as an Azure Key Vault secret so the Logic App can retrieve it securely via Managed Identity (no credentials in the workflow definition).

# Create the secret
az keyvault secret set \
  --vault-name "<your-key-vault>" \
  --name "SecberusApiKey" \
  --value "YOUR_API_KEY_HERE"

Note the secret's URI from the output — you will reference it in Step 3.

Step 3 — Create the Logic App and Enable Managed Identity

  1. In the Azure portal, create a new Logic App (Consumption) in the same resource group as your Sentinel workspace.
  2. Navigate to Identity → System assigned and set the status to On. Save and note the Object ID.
  3. Grant the Managed Identity Key Vault Secrets User on your Key Vault:
az role assignment create \
  --role "Key Vault Secrets User" \
  --assignee "<object-id-from-step-above>" \
  --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault>"
  1. Grant the Managed Identity Microsoft Sentinel Responder on your Sentinel workspace so the playbook can post incident comments:
az role assignment create \
  --role "Microsoft Sentinel Responder" \
  --assignee "<object-id>" \
  --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<workspace>"

Step 4 — Build the Playbook

In the Logic App Designer, add the following actions in order.

Action 1 — Trigger: Microsoft Sentinel Incident

Select the "Microsoft Sentinel — When a response to a Microsoft Sentinel alert is triggered" connector (incident trigger). This fires whenever an automation rule invokes the playbook.

Action 2 — Get Secret from Key Vault

Add an Azure Key Vault — Get secret action.

Field Value
Secret name SecberusApiKey
Authentication Managed Identity

Store the output as apiKey — reference it in subsequent steps as @body('Get_secret')?['value'].

Action 3 — HTTP: Call /v1/map

Add an HTTP action with the following settings:

Field Value
Method POST
URI https://compliance.secberus.ai/v1/map

Headers:

{
  "authorization": "@body('Get_secret')?['value']",
  "Content-Type": "application/json"
}

Body:

{
  "frameworks": ["pci_dss_v4", "nist_800_53_r5"],
  "min_similarity": 0.3,
  "topk": 5,
  "documents": [
    {
      "id": "incident",
      "document": "@{triggerBody()?['object']?['properties']?['description']}"
    }
  ]
}

Update frameworks with the IDs from Step 1.

Action 4 — Parse JSON: Extract Controls

Add a Parse JSON action to make the response fields addressable in later steps.

Field Value
Content @body('HTTP')
Schema Paste the schema below 
{
  "type": "object",
  "properties": {
    "frameworks": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "framework_id": {"type": "string"},
          "controls": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "document_id": {"type": "string"},
                "similarity":  {"type": "number"},
                "confidence":  {"type": "string"},
                "control": {
                  "type": "object",
                  "properties": {
                    "id":          {"type": "string"},
                    "family":      {"type": "string"},
                    "framework_id":{"type": "string"}
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Action 5 — Compose: Format the Comment

Add a Compose action to build a readable comment from the parsed controls. Use the following expression in the Inputs field:

concat(
  '## Secberus Compliance Mapping\n\n',
  string(body('Parse_JSON'))
)

For a formatted table, use a more detailed expression or switch to a For each loop over body('Parse_JSON')?['frameworks'] to build per-framework sections.

Action 6 — Add Comment to Incident

Add a Microsoft Sentinel — Add comment to incident action.

Field Value
Incident ARM ID @triggerBody()?['object']?['id']
Incident Comment @outputs('Compose')

Step 5 — Connect to an Automation Rule

In Microsoft Sentinel → Automation → Automation rules, create a rule:

Field Value
Trigger Incident created
Conditions (optional) Filter by analytic rule name or severity
Actions Run playbook → select your Logic App

The playbook will now run automatically on new incidents that match the rule conditions.

Step 6 — Test the Playbook

  1. In the Logic App, select Run Trigger → Run to fire a manual test.
  2. Navigate to a Sentinel incident and check the Comments tab for the compliance mapping output.
  3. Review the Logic App Run history for per-action input/output and error details if any step failed.

Configuration Reference

Key parameters in the HTTP action body

Parameter Type Default Description
frameworks array[string] Framework IDs from Step 1
min_similarity float Exclude matches below this score (0.01–1.0)
min_confidence string Exclude below this level: High, Medium, Low, Very Low. Mutually exclusive with min_similarity.
topk integer 1 Max controls per framework/document pair

Fields in the API response

Field Type Description
frameworks[].framework_id string Framework identifier
frameworks[].controls[].control.id string Control identifier
frameworks[].controls[].control.family string Control family name
frameworks[].controls[].similarity float Similarity score (0.0–1.0)
frameworks[].controls[].confidence string High, Medium, Low, or Very Low

API Quick Reference

Detail Value
Endpoint POST https://compliance.secberus.ai/v1/map
Auth header authorization: <api-key>
Content-Type application/json
List frameworks GET https://compliance.secberus.ai/v1/frameworks
Similarity range 0.01–1.0
Confidence levels Very Low, Low, Medium, High
Default topk 1
Elastic Security Sumo Logic