Forum Discussion
Manuel_DEste
Apr 05, 2019Copper Contributor
Integration of Sentinel with other 3rd party on-prem SIEM solutions (stream alerts to eventhub)
Dear Sentinel community, I'm wondering if anyone already explored the possibilities of integrating sentinel Alerts with other SIEM solutions. An Example could be for customers which want to ...
- Apr 07, 2019
Hi Manuel_DEste, great meeting you again!
Yes and no.
Forwarding alerts to an event hub is supported. You can use one of several ways:
- Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
- Soon you will be able to do it by running a playbook automatically when an alert triggers.
- Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.
Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well.
Ofer_Shezaf
Microsoft
Apr 07, 2019Hi Manuel_DEste, great meeting you again!
Yes and no.
Forwarding alerts to an event hub is supported. You can use one of several ways:
- Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
- Soon you will be able to do it by running a playbook automatically when an alert triggers.
- Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.
Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well.
Manuel_DEste
Apr 08, 2019Copper Contributor
Hi Ofer_Shezaf, great meeting you again too!
Thank you for your reply, I'll try the Security Graph API for now, I didn't know about this feature!
- isflemingFeb 11, 2020Copper Contributor
Manuel_DEste / Ofer_Shezaf , is there any update on the ability to integrate outputs from Sentinel with other SIEMs?
Thanks.
- Manuel_DEsteFeb 12, 2020Copper Contributor
isfleming Streaming Security Graph events (Including Sentinel Incidents) to EventHub works. I believe that Pulling events from EventHub into your SIEM is supported by most SIEM vendors.
I hope anyway something like "continuous export" for Azure Security Center will be an option for Sentinel as well for easier integration and troubleshooting https://docs.microsoft.com/en-us/azure/security-center/continuous-export
- isflemingFeb 12, 2020Copper Contributor
Manuel_DEste thanks!
- Ofer_ShezafFeb 12, 2020
Microsoft
isfleming : no updated here. That is apart from the fact that automated triggering of playbooks was released of course. What are you find lacking in the solutions above?
~ Ofer
- isflemingFeb 12, 2020Copper Contributor
Ofer_Shezafthanks for the quick reply. I have not started working with this integration as yet. I am trying to determine what the requirements are for the data and what options there are to obtain it. Hopefully there will be nothing lacking. 🙂