Home

Need Some Information on Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-390640%22%20slang%3D%22en-US%22%3ENeed%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390640%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20below%20questions%20with%20respect%20to%20Azure%20Sentinel.%20Please%20check%20the%20same%20and%20provide%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eit%20Is%20possible%20to%20integrate%20non%20syslog%20device%20with%20Sentinel%3F%20If%20yes%2C%20abc%20list%20of%20protocols%20supported.%3C%2FLI%3E%3CLI%3ECan%20it%20interpret%20the%20CEF%20(Common%20Event%20Format)%26nbsp%3B%20forwarded%20by%20any%20other%20SIEM%20tool%3F%3C%2FLI%3E%3CLI%3ESentinel%20has%20the%20list%20of%20Detection%20correlation%20rules%20available%20any%20where%20list%20available%20for%20the%20detection%20rule%20correlation%20rule%20sets%3F%3C%2FLI%3E%3CLI%3ESentinel%20can%20run%20as%20a%26nbsp%3B%20multitenant%20services.%3C%2FLI%3E%3CLI%3EHow%20well%20it%20get%20with%20Defender%20ATP%2C%20Office%20365%20ATP%20or%20Azure%20Security%20center%20or%20event%20hub%3F%3C%2FLI%3E%3CLI%3EWhat%20type%20of%20integration%20are%20available%20for%20response%20automation%3F%20Any%20list%20of%20integration%20points%20and%20supported%20actions%3F%3C%2FLI%3E%3CLI%3ESentinel%20is%20run%20in%20multitenant%20to%20support%20multiple%20customers%20from%20one%20single%20place.%3C%2FLI%3E%3C%2FOL%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDipen%26nbsp%3B%20Rana%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401476%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401476%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303270%22%20target%3D%22_blank%22%3E%40dipenms%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20add%20to%20Clive's%20answers%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAdditional%20non-Syslog%20sources%3A%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3EPull%20collection%2C%20for%20example%20for%20files%2C%20database%20tables%20and%20REST%20APIs%20is%20available%20using%20Logic%20Apps%20-%20you%20schedule%20recurring%20automation%20that%20reads%20the%20source%2C%20and%20writes%20to%20the%20sentinel%20workspace.%20You%20can%20use%20the%20following%20resources%3A%3CUL%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%20value%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fconnectors-native-recurrence%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ECreate%20and%20run%20recurring%20tasks%20and%20workflows%20with%20Azure%20Logic%20Apps%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazureloganalyticsdatacollector%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ELogic%20Apps%20connector%20for%20writing%20data%20to%20Log%20Analytics%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fcustom-connectors%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ECustom%20API%20client%20connector%20for%20reading%20data%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fsql%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ERead%20SQ%20Server%20data%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-top%3A%200%3B%20margin-bottom%3A%200%3B%20vertical-align%3A%20middle%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Ffilesystem%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ERead%20a%20file%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EWe%20support%20any%20Azure%20PaaS%20service%20that%20logs%20by%20pointing%20its%20diagnostics%20or%20activity%20log%20to%20the%20Sentinal%20workspace.%3C%2FLI%3E%0A%3CLI%3EMore%20and%20more%20vendors%20offer%20direct%20streaming%20to%20Azure%20Sentinel%2C%20those%20include%20Symantec%2C%20Barracuda%2C%20and%20%3CA%20href%3D%22https%3A%2F%2Fclouddocs.f5.com%2Fproducts%2Fextensions%2Ff5-telemetry-streaming%2Flatest%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EF5%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ECEF%20from%20SIEMs%3A%3C%2FSTRONG%3E%20As%20Clive%20mentions%2C%20we%20can%20collect%20from%20any%20CEF%20source.%20Some%20specific%20instructions%20on%20sending%20CEF%20from%20SIEM%20tools%3A%3CUL%3E%0A%3CLI%3ESplunk%20-%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2Fapp%2F1847%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESplunk%20App%20for%20CEF%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EArcSight%20-%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.microfocus.com%2Ft5%2FLogger-Forwarding-Connectors%2FArcSight-Forwarding-Connector-Configuration-Guide%2Fta-p%2F1583918%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EArcSight%20forwarding%20connector%3C%2FA%3E%20and%20select%20CEF%20Syslog%20as%20the%20destination.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20dir%3D%22ltr%22%3E%3CSTRONG%3EMultitenancy%3C%2FSTRONG%3E%3A%20Sentinel%20is%20inherently%20multi-tenant%20as%20the%20workspace%20for%20each%20tenant%20(i.e.%2C%20an%20MSSP%20customer%20or%20a%20sub-organization)%20leaves%20in%20a%20different%20Azure%20Tenant%20or%20a%20separate%20Sentinel%20workspace.%20We%20are%20working%20on%20central%20management%20for%20those%20tenants.%3C%2FLI%3E%0A%3CLI%20dir%3D%22ltr%22%3E%26nbsp%3B%3CSTRONG%3EMicrosoft%20sources%3C%2FSTRONG%3E%3A%3CUL%3E%0A%3CLI%20dir%3D%22ltr%22%3EAzure%20Security%20Center%3A%20supported%3C%2FLI%3E%0A%3CLI%20dir%3D%22ltr%22%3EWindows%20Defender%20ATP%20and%20Office%20ATP%3A%20the%20connectors%20are%20in%20the%20works.%3C%2FLI%3E%0A%3CLI%20dir%3D%22ltr%22%3EEvent%20hub%3A%20use%20Logic%20Apps%20as%20described%20above%20for%20pull%20sources.%20See%20specific%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fconnectors%2Fconnectors-create-api-azure-event-hubs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%20dir%3D%22ltr%22%3E%3CSTRONG%3EResponse%20automation%3A%3C%2FSTRONG%3E%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELogic%20Apps%20connectors%20list%3C%2FA%3E.%20Note%20that%20you%20can%20easily%20create%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fcustom-connectors%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ecustom%20API%20connectors%3C%2FA%3E%20or%20get%20more%20flexibility%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flogic-apps%2Flogic-apps-azure-functions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20functions%20connectors%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401473%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308421%22%20target%3D%22_blank%22%3E%40agrigorof%3C%2FA%3E%3A%20any%20day%20now%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401402%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401402%22%20slang%3D%22en-US%22%3ESorry%20I%20don't%20have%20a%20date%2C%20that%20will%20need%20to%20be%20disclosed%20by%20the%20Sentinel%20Product%20Group.%20%3CBR%20%2F%3EYou%20can%20create%20an%20Azure%20Alert%20using%20the%20same%20query%2C%20to%20get%20a%20Logic%20App%2FPlaybook%20triggered%20in%20the%20meantime%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401401%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401401%22%20slang%3D%22en-US%22%3ESorry%20I%20don't%20have%20a%20date%2C%20that%20will%20need%20to%20be%20disclosed%20by%20the%20Sentinel%20Product%20Group.%20You%20can%20create%20an%20Azure%20Alert%20using%20the%20same%20query%2C%20to%20get%20a%20Logic%20App%2FPlaybook%20triggered%20in%20the%20meantime%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401355%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401355%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BAny%20ETA%20on%20the%20ability%20to%20assign%20a%20playbook%20to%20an%20alert%20trigger%3F%20If%20unknown%2C%20are%20there%20any%20other%20ways%20to%20run%20a%20playbook%20when%20the%20alerts%20are%20triggered%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392872%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392872%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303270%22%20target%3D%22_blank%22%3E%40dipenms%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Sentinel%20re-uses%20the%20Azure%20Log%20Analytics%20Agent%20(Windows%20and%20Linux%20versions)%20to%20get%20data%20like%20Logs%2C%20Perf%2C%20Syslog%20etc...%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Flog-analytics-agent%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E2.%26nbsp%3B%20Sentinel%20has%20a%20CEF%20connector%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-common-event-format%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E3.%20The%20community%20site%20has%20some%20of%20the%20queries%20and%20detentions%20used%20today%20as%20part%20of%20the%20preview%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4.%3C%2FP%3E%0A%3CP%3E5.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%3C%2FA%3E%26nbsp%3Blists%20all%20the%20Microsoft%20services%20Sentinel%20connects%20to.%26nbsp%3B%20When%20you%20say%20%22how%20well%22%20are%20you%20asking%20for%20Performance%20or%20SLA%2C%20or%20reliability%3F%26nbsp%3B%20Please%20remember%20Sentinel%20is%20in%20Preview%20at%20the%20moment.%3C%2FP%3E%0A%3CP%3E6.%20The%20preview%20show%20the%20Analytics%20(Alerts%20you%20specify)%20that%20then%20generate%20a%20Case.%26nbsp%3B%20The%20Analytics%20in%20the%20future%20will%20be%20linked%20to%20a%20Playbook%20(Logic%20App).%3C%2FP%3E%0A%3CP%3E7.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392770%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Some%20Information%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392770%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20any%20one%20provide%20any%20update%20on%20this%20please.....%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F303270%22%20target%3D%22_blank%22%3E%40dipenms%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20below%20questions%20with%20respect%20to%20Azure%20Sentinel.%20Please%20check%20the%20same%20and%20provide%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eit%20Is%20possible%20to%20integrate%20non%20syslog%20device%20with%20Sentinel%3F%20If%20yes%2C%20abc%20list%20of%20protocols%20supported.%3C%2FLI%3E%3CLI%3ECan%20it%20interpret%20the%20CEF%20(Common%20Event%20Format)%26nbsp%3B%20forwarded%20by%20any%20other%20SIEM%20tool%3F%3C%2FLI%3E%3CLI%3ESentinel%20has%20the%20list%20of%20Detection%20correlation%20rules%20available%20any%20where%20list%20available%20for%20the%20detection%20rule%20correlation%20rule%20sets%3F%3C%2FLI%3E%3CLI%3ESentinel%20can%20run%20as%20a%26nbsp%3B%20multitenant%20services.%3C%2FLI%3E%3CLI%3EHow%20well%20it%20get%20with%20Defender%20ATP%2C%20Office%20365%20ATP%20or%20Azure%20Security%20center%20or%20event%20hub%3F%3C%2FLI%3E%3CLI%3EWhat%20type%20of%20integration%20are%20available%20for%20response%20automation%3F%20Any%20list%20of%20integration%20points%20and%20supported%20actions%3F%3C%2FLI%3E%3CLI%3ESentinel%20is%20run%20in%20multitenant%20to%20support%20multiple%20customers%20from%20one%20single%20place.%3C%2FLI%3E%3C%2FOL%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EDipen%26nbsp%3B%20Rana%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
dipenms
New Contributor

Hi All, 

I have below questions with respect to Azure Sentinel. Please check the same and provide answer.

 

  1. it Is possible to integrate non syslog device with Sentinel? If yes, abc list of protocols supported.
  2. Can it interpret the CEF (Common Event Format)  forwarded by any other SIEM tool?
  3. Sentinel has the list of Detection correlation rules available any where list available for the detection rule correlation rule sets?
  4. Sentinel can run as a  multitenant services.
  5. How well it get with Defender ATP, Office 365 ATP or Azure Security center or event hub?
  6. What type of integration are available for response automation? Any list of integration points and supported actions?
  7. Sentinel is run in multitenant to support multiple customers from one single place.

Regards,

Dipen  Rana

7 Replies

Is any one provide any update on this please.....


@dipenms wrote:

Hi All, 

I have below questions with respect to Azure Sentinel. Please check the same and provide answer.

 

  1. it Is possible to integrate non syslog device with Sentinel? If yes, abc list of protocols supported.
  2. Can it interpret the CEF (Common Event Format)  forwarded by any other SIEM tool?
  3. Sentinel has the list of Detection correlation rules available any where list available for the detection rule correlation rule sets?
  4. Sentinel can run as a  multitenant services.
  5. How well it get with Defender ATP, Office 365 ATP or Azure Security center or event hub?
  6. What type of integration are available for response automation? Any list of integration points and supported actions?
  7. Sentinel is run in multitenant to support multiple customers from one single place.

Regards,

Dipen  Rana



 

@dipenms

 

1. Sentinel re-uses the Azure Log Analytics Agent (Windows and Linux versions) to get data like Logs, Perf, Syslog etc...  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent

2.  Sentinel has a CEF connector: https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format

3. The community site has some of the queries and detentions used today as part of the preview: https://github.com/Azure/Azure-Sentinel 

4.

5.  https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources lists all the Microsoft services Sentinel connects to.  When you say "how well" are you asking for Performance or SLA, or reliability?  Please remember Sentinel is in Preview at the moment.

6. The preview show the Analytics (Alerts you specify) that then generate a Case.  The Analytics in the future will be linked to a Playbook (Logic App).

7.

@Clive Watson Any ETA on the ability to assign a playbook to an alert trigger? If unknown, are there any other ways to run a playbook when the alerts are triggered?

 

Thanks,

Adrian Grigorof

Sorry I don't have a date, that will need to be disclosed by the Sentinel Product Group. You can create an Azure Alert using the same query, to get a Logic App/Playbook triggered in the meantime?
Sorry I don't have a date, that will need to be disclosed by the Sentinel Product Group.
You can create an Azure Alert using the same query, to get a Logic App/Playbook triggered in the meantime?

@agrigorof: any day now

@Clive Watson @dipenms 

 

To add to Clive's answers:

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies