SOLVED
Home

Integration of Sentinel with other 3rd party on-prem SIEM solutions (stream alerts to eventhub)

%3CLINGO-SUB%20id%3D%22lingo-sub-400690%22%20slang%3D%22en-US%22%3EIntegration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400690%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Sentinel%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20if%20anyone%20already%20explored%20the%20possibilities%20of%20integrating%20sentinel%20Alerts%20with%20other%20SIEM%20solutions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20Example%20could%20be%20for%20customers%20which%20want%20to%20leverage%20Sentinel%20for%20their%20Azure%20cloud%20environments%20but%20still%20need%20their%20on%20Premies%20SIEM%20solutions%20to%20receive%20logs%20also%20from%20other%20logs%20sources.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20option%20could%20be%20to%20stream%20Sentinel%20Alerts%20to%20Azure%20EventHub%20and%20then%20use%20the%20EventHub%20as%20log%20source%20in%20the%20on%20prem%20SIEM.%20Is%20this%20something%20supported%20on%20Sentinel%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3Eregards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EManuel%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-402219%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-402219%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%2C%20great%20meeting%20you%20again%20too!%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20reply%2C%20I'll%20try%20the%20Security%20Graph%20API%20for%20now%2C%20I%20didn't%20know%20about%20this%20feature!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401478%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401478%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%2C%26nbsp%3Bgreat%20meeting%20you%20again!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%20and%20no.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EForwarding%20alerts%20to%20an%20event%20hub%20is%20supported.%20You%20can%20use%20one%20of%20several%20ways%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERun%20a%20Logic%20App%20scheduled%20playbook%20to%20read%20alerts%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazureloganalytics%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20Analytics%20connector%3C%2FA%3E%26nbsp%3Band%20then%20write%20them%20to%20an%20event%20hub%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fth-th%2Fazure%2Fconnectors%2Fconnectors-create-api-azure-event-hubs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Hub%20connector.%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ESoon%20you%20will%20be%20able%20to%20do%20it%20by%20running%20a%20playbook%20automatically%20when%20an%20alert%20triggers.%3C%2FLI%3E%0A%3CLI%3ELastly%2C%20you%20can%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fsecurity-siemintegration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20the%20Security%20Graph%20API%3C%2FA%3E.%20Note%20that%20this%20will%20send%20all%20Azure%20alerts%20to%20your%20SIEM%2C%20not%20just%20Sentinel's.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhy%20no%3F%20because%20what%20you%20really%20want%20to%20send%20are%20cases%20and%20not%20alerts%2C%20which%20are%20automatically%20aggregated%20and%20reduced%20alerts.%20We%20are%20working%20to%20make%20sure%20those%20can%20be%20sent%20to%20a%20SIEM%20as%20well.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401087%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401087%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20help%20with%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Manuel_DEste
New Contributor

Dear Sentinel community,

 

I'm wondering if anyone already explored the possibilities of integrating sentinel Alerts with other SIEM solutions. 

 

An Example could be for customers which want to leverage Sentinel for their Azure cloud environments but still need their on Premies SIEM solutions to receive logs also from other logs sources. 

 

One option could be to stream Sentinel Alerts to Azure EventHub and then use the EventHub as log source in the on prem SIEM. Is this something supported on Sentinel? 


regards,

Manuel  

3 Replies
Solution

Hi @Manuel_DEste, great meeting you again!

 

Yes and no.

 

Forwarding alerts to an event hub is supported. You can use one of several ways:

  • Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
  • Soon you will be able to do it by running a playbook automatically when an alert triggers.
  • Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.

Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well. 

 Hi @Ofer_Shezaf, great meeting you again too!

Thank you for your reply, I'll try the Security Graph API for now, I didn't know about this feature!

 

 

 

 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies