Azure Sentinel Alerts forward into Event HUB for 3rd Party SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-2101303%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Alerts%20forward%20into%20Event%20HUB%20for%203rd%20Party%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101303%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20get%20azure%20sentinel%20logs%20into%20our%20on%20prem%20QRadar%20SIEM.%3C%2FP%3E%3CP%3Ewe%20follow%20to%20achieve%20it%20through%20Event%20Hub.%20but%20we%20have%20facing%20issue%20in%20how%20to%20forward%20Azure%20Sentinel%20Alert%20into%20Event%20Hub.%20For%20this%20we%20follow%20App%20logic%20and%20github%20code%20for%20this%20but%20the%20code%20is%20showing%20errors.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22daniyal2021_0-1611739045915.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249749iEC14ED0AEBDECB0B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22daniyal2021_0-1611739045915.png%22%20alt%3D%22daniyal2021_0-1611739045915.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsending-enriched-azure-sentinel-alerts-to-3rd-party-siem-and%2Fba-p%2F1456976%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fsending-enriched-azure-sentinel-alerts-to-3rd-party-siem-and%2Fba-p%2F1456976%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fazuredeploy.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%2Fazuredeploy.json%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101842%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Alerts%20forward%20into%20Event%20HUB%20for%203rd%20Party%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101842%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F944251%22%20target%3D%22_blank%22%3E%40daniyal2021%3C%2FA%3E%26nbsp%3BIf%20I%20understand%20what%20is%20happening%20correctly%2C%20you%20either%20deployed%20the%20code%20to%20your%20environment%20using%20the%20%22Deploy%20to%20Azure%22%20button%20(which%20I%20just%20tested%20and%20worked%20fine)%26nbsp%3B%20or%20you%20copied%20and%20pasted%20the%20code%20into%20a%20new%20playbook%20(in%20which%20case%20there%20are%20probably%20changes%20that%20need%20to%20be%20made%20in%20the%20code).%26nbsp%3B%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2101866%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Alerts%20forward%20into%20Event%20HUB%20for%203rd%20Party%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2101866%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BYes%20you%20right%2C%20basically%20i%20don't%20know%20how%20to%20utilize%20''%20deploy%20to%20azure%22%20option.%20that%20why%20i%20go%20with%20copy%20paste%20option.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

We are trying to get azure sentinel logs into our on prem QRadar SIEM.

we follow to achieve it through Event Hub. but we have facing issue in how to forward Azure Sentinel Alert into Event Hub. For this we follow App logic and github code for this but the code is showing errors.

daniyal2021_0-1611739045915.png

https://techcommunity.microsoft.com/t5/azure-sentinel/sending-enriched-azure-sentinel-alerts-to-3rd-...

https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SentinelAlertsEvidence/azuredeploy...

 

 

7 Replies

@daniyal2021 If I understand what is happening correctly, you either deployed the code to your environment using the "Deploy to Azure" button (which I just tested and worked fine)  or you copied and pasted the code into a new playbook (in which case there are probably changes that need to be made in the code).  Is that correct?

@Gary Bushey Yes you right, basically i don't know how to utilize '' deploy to azure" option. that why i go with copy paste option.  

@daniyal2021 Clicking the "Deploy to Azure" button takes you to the Azure console deployment screen. It's a better method to ensure there's no missing characters or formatting errors in the code (which sounds like might be your issue).

 

customdeploy.png

@daniyal2021 Now stack in this can you please suggest something.

daniyal2021_0-1611768513143.png

 

@daniyal2021 It looks like the content field wants to use the "ExtendedProperties" property that comes from the "When a response to an Azure Sentinel alert is triggered" trigger but it didn't come through correct.    Clear that field and then you can select the correct value in the Dynamic content listing.

 

2021-01-27_13-08-59.png

@Gary Bushey now they showing error on repo permissions revoke

daniyal2021_0-1611823185345.png

 

@daniyal2021 Not sure what that error means.  I was able to install it on 2 different Azure Sentinel instances yesterday without any problems.