SoCMate automatically syncs incidents from Microsoft Sentinel, enriches them with local metadata, and lets you launch AI-powered investigations directly from any incident.

Incident Sync

SoCMate syncs incidents from Sentinel every 5 minutes (configurable). The sync process:
  1. Queries Sentinel for incidents within a configurable time window (default: last 24 hours)
  2. Compares incoming incidents against existing records
  3. Upserts incidents, preserving any local enrichment fields (notes, tags, assignments)
  4. Sends notifications for new Medium, High, and Critical severity incidents
The sync is incremental. SoCMate tracks which incidents it has already seen and only processes new or updated ones. Local enrichment fields like notes, tags, and assignments are never overwritten by the sync.

Listing Incidents

From the UI

Navigate to Incidents in the sidebar. The incident list shows severity, status, title, and timestamps. Use the filters to narrow by severity or status.

From the API

curl -X GET "https://api.socmate.yourcompany.com/api/v1/incidents?severity=high&status=new&limit=20" \
  -H "Authorization: Bearer <token>"
Query parameters:
ParameterTypeDefaultDescription
severitystringFilter: informational, low, medium, high, critical
statusstringFilter: new, active, closed
timespanstringP7DISO 8601 duration for time range
limitinteger20Maximum results
offsetinteger0Pagination offset
Incident data is cached with a 5-minute TTL. The first request after cache expiration may be slightly slower as it refreshes from Sentinel.

Incident Details

Get a single incident by its Sentinel incident number: 
curl -X GET https://api.socmate.yourcompany.com/api/v1/incidents/12345 \
  -H "Authorization: Bearer <token>"
The response includes the full incident payload from Sentinel plus any local enrichment fields.

Severity Levels

SoCMate maps Sentinel severity levels directly:
SeverityDescriptionNotification
InformationalLow-impact events for awarenessNo automatic notification
LowMinor events unlikely to affect operationsNo automatic notification
MediumEvents that may require investigationNotification sent
HighEvents likely impacting security postureNotification sent
CriticalEvents requiring immediate attentionNotification sent

Local Enrichment

Enrich incidents with local metadata that is preserved across syncs: 
curl -X PATCH https://api.socmate.yourcompany.com/api/v1/incidents/12345 \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "notes": "Appears related to incident #12340 — same source IP",
    "local_status": "in_progress",
    "assigned_to": "analyst@example.com",
    "tags": ["phishing", "priority", "escalated"]
  }'
Enrichment fields:
FieldTypeDescription
notesstringFree-text notes about the incident
local_statusstringLocal tracking status (independent of Sentinel status)
assigned_tostringEmail of the assigned analyst
tagslist[string]Custom tags for categorization

Deterministic Enrichment

Trigger an automated enrichment that resolves the full incident chain: 
curl -X POST https://api.socmate.yourcompany.com/api/v1/incidents/12345/enrich \
  -H "Authorization: Bearer <token>"
This runs queries to resolve:
  • Incident details from Sentinel
  • Alerts associated with the incident
  • Entities extracted from the alerts (IPs, users, hosts, file hashes)
The enrichment results are stored with the incident and available for subsequent investigation.

Investigating an Incident

Launch an AI-powered investigation directly from an incident. From the UI, click the Investigate button on any incident. From the API, start an investigation referencing the incident context: 
curl -X POST https://api.socmate.yourcompany.com/api/v1/investigations/start \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "Investigate Sentinel incident #12345 — multiple failed sign-in attempts from unusual locations",
    "persona": "soc_analyst",
    "provider": "sentinel"
  }'
The investigation uses the incident title, description, severity, and any enrichment data as context.

Notifications

SoCMate sends notifications when new Medium, High, or Critical incidents are synced from Sentinel. Notifications include:
  • Incident title and number
  • Severity level
  • Current Sentinel status
  • Direct link to the incident in SoCMate
Configure notification preferences in your user settings under Settings > Notifications.