Forum Discussion

Manuel_DEste's avatar
Manuel_DEste
Copper Contributor
Apr 05, 2019

Integration of Sentinel with other 3rd party on-prem SIEM solutions (stream alerts to eventhub)

Dear Sentinel community,   I'm wondering if anyone already explored the possibilities of integrating sentinel Alerts with other SIEM solutions.    An Example could be for customers which want to ...
  • Ofer_Shezaf's avatar
    Ofer_Shezaf
    Apr 07, 2019

    Hi Manuel_DEste, great meeting you again!

     

    Yes and no.

     

    Forwarding alerts to an event hub is supported. You can use one of several ways:

    • Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
    • Soon you will be able to do it by running a playbook automatically when an alert triggers.
    • Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.

    Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well. 

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Apr 07, 2019

Hi Manuel_DEste, great meeting you again!

 

Yes and no.

 

Forwarding alerts to an event hub is supported. You can use one of several ways:

  • Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
  • Soon you will be able to do it by running a playbook automatically when an alert triggers.
  • Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.

Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well. 

  • Manuel_DEste's avatar
    Manuel_DEste
    Copper Contributor
    Apr 08, 2019

     Hi Ofer_Shezaf, great meeting you again too!

    Thank you for your reply, I'll try the Security Graph API for now, I didn't know about this feature!

     

     

     

     

    • isfleming's avatar
      isfleming
      Copper Contributor
      Feb 11, 2020

      Manuel_DEste / Ofer_Shezaf , is there any update on the ability to integrate outputs from Sentinel with other SIEMs?

       

      Thanks.

      • Ofer_Shezaf's avatar
        Ofer_Shezaf
        Icon for Microsoft rankMicrosoft
        Feb 12, 2020

        isfleming : no updated here. That is apart from the fact that automated triggering of playbooks was released of course. What are you find lacking in the solutions above?

         

        ~ Ofer

  • BMaro's avatar
    BMaro
    Copper Contributor
    May 07, 2020

    Ofer_Shezaf  hey i have one question: i am new in azure sentinel, and i want to know what is the difference between using MMA agent and Using syslogs in adding 3d party ressource

    thank you

    • Ofer_Shezaf's avatar
      Ofer_Shezaf
      Icon for Microsoft rankMicrosoft
      May 10, 2020

      BMaro Syslog is used for remote collection for systems that support it (which is most networking and security systems). The MMA (or Log Analytics Agent), is our software for collecting both Syslog as well as local telemetry on the system the MMA is installed on.

Resources