Forum Discussion
Solved
How to send incident log data to another SIEM?
I need to ingest log from Microsoft product to Microsoft Sentinel. Then forward only incident log data to 3rd party SIEM. How can I create automate for export only incident log data . and send that ...
- Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976
An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
example of the original Query that was used for each Alert to trigger
SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
Dear Clive_Watson
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you
Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976
An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
example of the original Query that was used for each Alert to trigger
SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
example of the original Query that was used for each Alert to trigger
SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
- Thank you
I will read and test it. If I have some question I will ask more.