SoCMate connects to SIEM providers to execute queries and sync incidents. Currently, Microsoft Sentinel is the supported provider. Administrators can configure multiple Sentinel workspaces and designate one as the default.
All SIEM provider management endpoints require the admin role. Provider credentials are encrypted at rest.

Adding a Sentinel Provider

From the UI

Navigate to Admin > SIEM Providers and click Add Provider. Fill in the connection details and test the connection before saving.

From the API

1

Test the credentials first

Validate that the credentials can connect to Sentinel before saving:
curl -X POST https://api.socmate.yourcompany.com/api/admin/siem-providers/test \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "provider_type": "sentinel",
    "workspace_id": "your-log-analytics-workspace-id",
    "tenant_id": "your-azure-tenant-id",
    "client_id": "your-app-registration-client-id",
    "client_secret": "your-client-secret"
  }'
Response (success):
{
  "status": "healthy",
  "message": "Connected to Sentinel workspace successfully",
  "latency_ms": 245.3
}
Response (failure):
{
  "status": "error",
  "message": "Connection test failed. Check server logs for details.",
  "latency_ms": 5021.1
}
2

Create the provider

curl -X POST https://api.socmate.yourcompany.com/api/admin/siem-providers \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Sentinel",
    "provider_type": "sentinel",
    "workspace_id": "your-log-analytics-workspace-id",
    "tenant_id": "your-azure-tenant-id",
    "client_id": "your-app-registration-client-id",
    "client_secret": "your-client-secret"
  }'
Response:
{
  "id": "6507f1f77bcf86cd799439011",
  "name": "Production Sentinel",
  "provider_type": "sentinel",
  "status": "active",
  "workspace_id": "your-log-analytics-workspace-id",
  "tenant_id": "your-azure-tenant-id",
  "client_id": "your-app-registration-client-id",
  "client_secret_masked": "****cret",
  "is_default": true,
  "last_health_check": null,
  "last_health_status": null,
  "created_by": "admin@example.com",
  "created_at": "2026-03-27T00:00:00Z",
  "updated_at": "2026-03-27T00:00:00Z"
}
If this is the first provider, it is automatically set as the default.

Azure App Registration Requirements

The Azure App Registration used for Sentinel connectivity needs the following permissions:
PermissionTypePurpose
Log Analytics API > Data.ReadApplicationExecute queries against the workspace
Microsoft Graph > SecurityIncident.Read.AllApplicationRead Sentinel incidents
Microsoft Graph > SecurityAlert.Read.AllApplicationRead security alerts
Grant these as Application permissions (not Delegated) and make sure an admin has granted consent for the tenant. Without proper permissions, queries and incident sync will fail.

Required Information

FieldWhere to Find It
workspace_idAzure Portal > Log Analytics workspace > Properties > Workspace ID
tenant_idAzure Portal > Azure Active Directory > Properties > Tenant ID
client_idAzure Portal > App Registrations > Your app > Application (client) ID
client_secretAzure Portal > App Registrations > Your app > Certificates & secrets

Testing a Saved Provider

Test connectivity for an existing provider. This also updates the provider’s health status: 
curl -X POST https://api.socmate.yourcompany.com/api/admin/siem-providers/{provider_id}/test \
  -H "Authorization: Bearer <admin_token>"
If the test succeeds, the provider status is set to active. If it fails, the status is set to error.

Setting the Default Provider

When multiple providers are configured, set one as the default for all new investigations: 
curl -X PUT https://api.socmate.yourcompany.com/api/admin/siem-providers/{provider_id}/default \
  -H "Authorization: Bearer <admin_token>"
Response: 
{
  "message": "'Production Sentinel' set as default provider"
}
Only one provider can be the default at a time. Setting a new default automatically unsets the previous one.

Listing Providers

curl -X GET https://api.socmate.yourcompany.com/api/admin/siem-providers \
  -H "Authorization: Bearer <admin_token>"
Response: 
{
  "providers": [
    {
      "id": "6507f1f77bcf86cd799439011",
      "name": "Production Sentinel",
      "provider_type": "sentinel",
      "status": "active",
      "workspace_id": "abc-123-def",
      "tenant_id": "76d6f49a-...",
      "client_id": "app-client-id",
      "client_secret_masked": "****cret",
      "is_default": true,
      "last_health_check": "2026-03-27T10:00:00Z",
      "last_health_status": "healthy",
      "created_by": "admin@example.com",
      "created_at": "2026-03-27T00:00:00Z",
      "updated_at": "2026-03-27T10:00:00Z"
    }
  ],
  "total": 1
}
Client secrets are always masked in list and detail responses. Only the last 4 characters are shown (e.g., ****cret).

Deleting a Provider

Soft-delete a provider. It will no longer be available for queries or incident sync: 
curl -X DELETE https://api.socmate.yourcompany.com/api/admin/siem-providers/{provider_id} \
  -H "Authorization: Bearer <admin_token>"
Deleted providers are marked as inactive and excluded from the provider list. If the deleted provider was the default, you must manually set a new default.

Provider Status

StatusDescription
activeProvider is connected and healthy
errorLast health check failed
inactiveProvider has been deleted (soft delete)

Troubleshooting

IssueResolution
Connection test returns errorVerify the workspace ID, tenant ID, client ID, and client secret are correct. Check that the App Registration has admin-consented permissions.
403 Forbidden from SentinelThe App Registration lacks the required permissions or admin consent has not been granted.
Slow query executionCheck the Log Analytics workspace retention and query complexity. Long time ranges on large tables may require optimization.
Incident sync not workingVerify the provider has SecurityIncident.Read.All permission and is set as the default.