Azure Sentinel Alerts forward into Event HUB for 3rd Party SIEM

Question

Hi,We are trying to get azure sentinel logs into our on prem QRadar SIEM.we follow to achieve it through Event Hub. but we have facing issue in how to forward Azure Sentinel Alert into Event Hub. For this we follow App logic and github code for this but the code is showing errors.https://techcommunity.microsoft.com/t5/azure-sentinel/sending-enriched-azure-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SentinelAlertsEvidence/azuredeploy.json&nbsp;&nbsp;

garybushey · Answer

daniyal2021&nbsp;If I understand what is happening correctly, you either deployed the code to your environment using the "Deploy to Azure" button (which I just tested and worked fine)&nbsp; or you copied and pasted the code into a new playbook (in which case there are probably changes that need to be made in the code).&nbsp; Is that correct?

daniyal2021 · Answer

GaryBushey&nbsp;Yes you right, basically i don't know how to utilize '' deploy to azure" option. that why i go with copy paste option.&nbsp;&nbsp;

rod_trent · Answer

daniyal2021&nbsp;Clicking the "Deploy to Azure" button takes you to the Azure console deployment screen. It's a better method to ensure there's no missing characters or formatting errors in the code (which sounds like might be your issue).
&nbsp;

daniyal2021 · Answer

daniyal2021&nbsp;Now stack in this can you please suggest something.&nbsp;

garybushey · Answer

daniyal2021&nbsp;It looks like the content field wants to use the "ExtendedProperties" property that comes from the "When a response to an Azure Sentinel alert is triggered" trigger but it didn't come through correct.&nbsp; &nbsp; Clear that field and then you can select the correct value in the Dynamic content listing.&nbsp;

Forum Discussion

Azure Sentinel Alerts forward into Event HUB for 3rd Party SIEM

7 Replies

Resources