This blog is intent to describe how Azure Sentinel can be used as Side-by-Side approach with Splunk.
As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM where Azure Sentinel comes in play and has following advantages.
Easy collection from cloud sources
Effortless infinite scale
Integrated automation capabilities
Continually maintained cloud and onprem use cases enhanced with Microsoft TI and ML
Github community
Microsoft research and ML capabilities
Avoid sending cloud telemetry downstream
There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side.
Alerts
Events
Upstream to sentinel
CEF
Logstash
Logic Apps
API
CEF
Logstash
API
Downstream from Sentinel
Security Graph Security API PowerShell
Logic Apps
API
API
PowerShell
This blog post has the focus to ingest Azure Sentinel alerts into Splunk by using the Microsoft Graph Security API.
The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses.
Usually in an enterprise where customer already decided for Splunk has a running environment. The primary reason to add this part was more to use the installation steps to build a lab environment or for evaluation propose.
In my environment I decided to use an Ubuntu server and build it in Azure.
Ones Splunk is started the web interface is available at http://splunk:8000.
Run the following command line to enable autostart for Splunk when server starts.
sudo /opt/splunk/bin/splunk enable boot-start
Register an Application in Azure AD
The installed app requires read access to the SecurityEvents.Read.All field in Microsoft Graph Security API. The steps how to register an app in Azure are described here: Walkthrough: Register an app with Azure Active Directory .
For further configuration in Splunk make a note of following settings:
Azure AD Application ID
Azure AD Application Secret
Tenant ID
Preparation Steps in Splunk
There is an app available which allows you to ingest Microsoft Security alerts from Microsoft Graph Security API. Use the following steps to install the app in Splunk.
Login with provided login credentials (username / password) during the installation of Splunk.
Logging and download the Microsoft Graph Security API Add-On for Splunk app from following source
In Manage Apps click to Install app from file and use the downloaded file microsoft-graph-security-api-add-on-for-splunk_011.tgz before for the installation, and click Upload.
Ones the app is installed reboot of Splunk is required, click to Restart Now.
After reboot the Microsoft Graph Security API Add-On for Splunk app can be used to ingest Azure Sentinel alerts into Splunk.
Preparation Steps in Splunk
Now is time to configure the app to connect with Microsoft Graph Security API.
In Splunk portal click to Microsoft Graph Security Add-on for Splunk
Click to Create New Input
Configure the input settings with noted data for registered Azure AD app configuration (Azure AD Application ID, Azure AD Application Secret and Tenant ID). Odata Filter can be used to filter alerts if required - Link, e.g. for Azure Sentinel alerts use - /security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Using of Azure Sentinel alerts in Splunk
Once the ingestion is processed, you can query the data by using sourcetype=GraphSecurityAlert in search field.
Now you see we have connected Splunk with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk.
Summary
We just walked through the process of standing up Azure Sentinel Side-by-Side with Splunk. In this way, you can use Azure Sentinel to enrich alerts from your cloud workloads providing additional context and prioritization as they are then ingested into Splunk. This will help you easily address your cloud security gaps while maintaining your existing SIEM.
Well, may be what you mean by access to sentinel is on a broader way, but, if its literal, i think you can set the logic app access to the sentinel instead of a user.
There is other more complex ways using APIs and App Registrations. Logic apps abstract that complexity.
You need to get information to Sentinel, logic app is one way. You can send logs from splunk to sentinel, and create a rule and logic app to work internally on Sentinel.
This is what I thought I could do. The issue is, I need to change the status in Splunk and send the change to Sentinel. I don't have (and don't want to have) access to
the Sentinel instance, but I get the incidents ingested via Splunk TA
I did it creating a rule on splunk that detects the incident status change and then used a webhook action on splunk to call other logic app url (that you need to create) to change the status, add comments, etc
Also, in my case, this incident status change is not from splunk itself, since we use other tool to track the incident.
But I need one more step: How can I respond to Sentinel alerts via Splunk. Particularly, I need to change Sentinel incident status out of Splunk. Any idea would be appriciated
Joseph-Abraham you can create a logic app that receives the alert ID (GET request) and gets the incident ID using the built-in sentinel incident conector ou using log analytics query.
With this you can response to the user a 302 redirect the browser to the incident URL.
Also, there are some alerts that are not in Sentinel yet and then you can get the user to the other portal.
"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/Pager/PagerLoadMorePreviousNextLinkable\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMorePreviousNextLinkable-1744658876111"}],"message({\"id\":\"message:3855115\"})":{"__ref":"BlogReplyMessage:message:3855115"},"message({\"id\":\"message:2322385\"})":{"__ref":"BlogReplyMessage:message:2322385"},"message({\"id\":\"message:2321891\"})":{"__ref":"BlogReplyMessage:message:2321891"},"message({\"id\":\"message:2321874\"})":{"__ref":"BlogReplyMessage:message:2321874"},"message({\"id\":\"message:2321763\"})":{"__ref":"BlogReplyMessage:message:2321763"},"message({\"id\":\"message:2178892\"})":{"__ref":"BlogReplyMessage:message:2178892"},"message({\"id\":\"message:2177555\"})":{"__ref":"BlogReplyMessage:message:2177555"},"message({\"id\":\"message:1448002\"})":{"__ref":"BlogReplyMessage:message:1448002"},"message({\"id\":\"message:1267466\"})":{"__ref":"BlogReplyMessage:message:1267466"},"message({\"id\":\"message:1216111\"})":{"__ref":"BlogReplyMessage:message:1216111"},"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1744658876111"}],"cachedText({\"lastModified\":\"1744658876111\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1744658876111"}]},"CachedAsset:pages-1744410786425":{"__typename":"CachedAsset","id":"pages-1744410786425","value":[{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730142000000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744410786425,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":"en","possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"Category:category:microsoft-sentinel":{"__typename":"Category","id":"category:microsoft-sentinel","entityType":"CATEGORY","displayId":"microsoft-sentinel","nodeType":"category","depth":4,"title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top","entityType":"CATEGORY","shortTitle":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities","entityType":"CATEGORY","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products","entityType":"CATEGORY","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","entityType":"CATEGORY","shortTitle":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSentinelBlog":{"__typename":"Blog","id":"board:MicrosoftSentinelBlog","entityType":"BLOG","displayId":"MicrosoftSentinelBlog","nodeType":"board","depth":5,"conversationStyle":"BLOG","title":"Microsoft Sentinel Blog","description":"
Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.
This blog is intent to describe how Azure Sentinel can be used as Side-by-Side approach with Splunk.
\n
\n
As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM where Azure Sentinel comes in play and has following advantages.
\n
\n
\n
Easy collection from cloud sources
\n
Effortless infinite scale
\n
Integrated automation capabilities
\n
Continually maintained cloud and onprem use cases enhanced with Microsoft TI and ML
\n
Github community
\n
Microsoft research and ML capabilities
\n
Avoid sending cloud telemetry downstream
\n
\n
There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side.
\n
\n
\n\n
\n
\n
\n
\n
\n
Alerts
\n
\n
\n
Events
\n
\n
\n
\n
\n
Upstream to sentinel
\n
\n
\n
CEF
\n
Logstash
\n
Logic Apps
\n
API
\n
\n
\n
CEF
\n
Logstash
\n
API
\n
\n
\n
\n
\n
Downstream from Sentinel
\n
\n
\n
Security Graph Security API PowerShell
\n
Logic Apps
\n
API
\n
\n
\n
API
\n
PowerShell
\n
\n
\n\n
\n
\n
This blog post has the focus to ingest Azure Sentinel alerts into Splunk by using the Microsoft Graph Security API.
\n
\n
The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses.
Usually in an enterprise where customer already decided for Splunk has a running environment. The primary reason to add this part was more to use the installation steps to build a lab environment or for evaluation propose.
\n
\n
In my environment I decided to use an Ubuntu server and build it in Azure.
Ones Splunk is started the web interface is available at http://splunk:8000.
\n
\n
Run the following command line to enable autostart for Splunk when server starts.
\n
sudo /opt/splunk/bin/splunk enable boot-start
\n
\n
Register an Application in Azure AD
\n
The installed app requires read access to the SecurityEvents.Read.All field in Microsoft Graph Security API. The steps how to register an app in Azure are described here: Walkthrough: Register an app with Azure Active Directory .
\n
\n
For further configuration in Splunk make a note of following settings:
\n
Azure AD Application ID
\n
Azure AD Application Secret
\n
Tenant ID
\n
\n
Preparation Steps in Splunk
\n
There is an app available which allows you to ingest Microsoft Security alerts from Microsoft Graph Security API. Use the following steps to install the app in Splunk.
\n
\n
Login with provided login credentials (username / password) during the installation of Splunk.
\n
\n
\n
\n
Logging and download the Microsoft Graph Security API Add-On for Splunk app from following source
In Manage Apps click to Install app from file and use the downloaded file microsoft-graph-security-api-add-on-for-splunk_011.tgz before for the installation, and click Upload.
\n
\n
\n
\n
Ones the app is installed reboot of Splunk is required, click to Restart Now.
\n
\n
\n
\n
After reboot the Microsoft Graph Security API Add-On for Splunk app can be used to ingest Azure Sentinel alerts into Splunk.
\n
\n
Preparation Steps in Splunk
\n
Now is time to configure the app to connect with Microsoft Graph Security API.
\n
\n
In Splunk portal click to Microsoft Graph Security Add-on for Splunk
\n
\n
\n
\n
Click to Create New Input
\n
\n
\n
Configure the input settings with noted data for registered Azure AD app configuration (Azure AD Application ID, Azure AD Application Secret and Tenant ID). Odata Filter can be used to filter alerts if required - Link, e.g. for Azure Sentinel alerts use - /security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
\n
\n
\n
\n
Using of Azure Sentinel alerts in Splunk
\n
Once the ingestion is processed, you can query the data by using sourcetype=GraphSecurityAlert in search field.
\n
\n
\n
\n
Now you see we have connected Splunk with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk.
\n
\n
Summary
\n
\n
We just walked through the process of standing up Azure Sentinel Side-by-Side with Splunk. In this way, you can use Azure Sentinel to enrich alerts from your cloud workloads providing additional context and prioritization as they are then ingested into Splunk. This will help you easily address your cloud security gaps while maintaining your existing SIEM.
This blog is intent to describe how Azure Sentinel can be used as Side-by-Side approach with Splunk.
\n
\n
As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM where Azure Sentinel comes in play and has following advantages.
\n
\n
\n
Easy collection from cloud sources
\n
Effortless infinite scale
\n
Integrated automation capabilities
\n
Continually maintained cloud and onprem use cases enhanced with Microsoft TI and ML
\n
Github community
\n
Microsoft research and ML capabilities
\n
Avoid sending cloud telemetry downstream
\n
\n
There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side.
\n
\n
\n\n
\n
\n
\n
\n
\n
Alerts
\n
\n
\n
Events
\n
\n
\n
\n
\n
Upstream to sentinel
\n
\n
\n
CEF
\n
Logstash
\n
Logic Apps
\n
API
\n
\n
\n
CEF
\n
Logstash
\n
API
\n
\n
\n
\n
\n
Downstream from Sentinel
\n
\n
\n
Security Graph Security API PowerShell
\n
Logic Apps
\n
API
\n
\n
\n
API
\n
PowerShell
\n
\n
\n\n
\n
\n
This blog post has the focus to ingest Azure Sentinel alerts into Splunk by using the Microsoft Graph Security API.
\n
\n
The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses.
Usually in an enterprise where customer already decided for Splunk has a running environment. The primary reason to add this part was more to use the installation steps to build a lab environment or for evaluation propose.
\n
\n
In my environment I decided to use an Ubuntu server and build it in Azure.
Ones Splunk is started the web interface is available at http://splunk:8000.
\n
\n
Run the following command line to enable autostart for Splunk when server starts.
\n
sudo /opt/splunk/bin/splunk enable boot-start
\n
\n
Register an Application in Azure AD
\n
The installed app requires read access to the SecurityEvents.Read.All field in Microsoft Graph Security API. The steps how to register an app in Azure are described here: Walkthrough: Register an app with Azure Active Directory .
\n
\n
For further configuration in Splunk make a note of following settings:
\n
Azure AD Application ID
\n
Azure AD Application Secret
\n
Tenant ID
\n
\n
Preparation Steps in Splunk
\n
There is an app available which allows you to ingest Microsoft Security alerts from Microsoft Graph Security API. Use the following steps to install the app in Splunk.
\n
\n
Login with provided login credentials (username / password) during the installation of Splunk.
\n
\n
\n
\n
Logging and download the Microsoft Graph Security API Add-On for Splunk app from following source
In Manage Apps click to Install app from file and use the downloaded file microsoft-graph-security-api-add-on-for-splunk_011.tgz before for the installation, and click Upload.
\n
\n
\n
\n
Ones the app is installed reboot of Splunk is required, click to Restart Now.
\n
\n
\n
\n
After reboot the Microsoft Graph Security API Add-On for Splunk app can be used to ingest Azure Sentinel alerts into Splunk.
\n
\n
Preparation Steps in Splunk
\n
Now is time to configure the app to connect with Microsoft Graph Security API.
\n
\n
In Splunk portal click to Microsoft Graph Security Add-on for Splunk
\n
\n
\n
\n
Click to Create New Input
\n
\n
\n
Configure the input settings with noted data for registered Azure AD app configuration (Azure AD Application ID, Azure AD Application Secret and Tenant ID). Odata Filter can be used to filter alerts if required - Link, e.g. for Azure Sentinel alerts use - /security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
\n
\n
\n
\n
Using of Azure Sentinel alerts in Splunk
\n
Once the ingestion is processed, you can query the data by using sourcetype=GraphSecurityAlert in search field.
\n
\n
\n
\n
Now you see we have connected Splunk with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk.
\n
\n
Summary
\n
\n
We just walked through the process of standing up Azure Sentinel Side-by-Side with Splunk. In this way, you can use Azure Sentinel to enrich alerts from your cloud workloads providing additional context and prioritization as they are then ingested into Splunk. This will help you easily address your cloud security gaps while maintaining your existing SIEM.
Well, may be what you mean by access to sentinel is on a broader way, but, if its literal, i think you can set the logic app access to the sentinel instead of a user.
There is other more complex ways using APIs and App Registrations. Logic apps abstract that complexity.
You need to get information to Sentinel, logic app is one way. You can send logs from splunk to sentinel, and create a rule and logic app to work internally on Sentinel.
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"213","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-05-04T08:42:37.412-07:00","lastPublishTime":"2021-05-04T08:42:37.412-07:00","metrics":{"__typename":"MessageMetrics","views":35851},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2322385","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"User:user:1044696":{"__typename":"User","id":"user:1044696","uid":1044696,"login":"m4ttb1ss","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2021-05-04T06:30:51.041-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-1.svg?time=0"},"rank":{"__ref":"Rank:rank:37"},"entityType":"USER","eventPath":"community:gxcuf89792/user:1044696"},"ModerationData:moderation_data:2321891":{"__typename":"ModerationData","id":"moderation_data:2321891","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:2321891":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:1044696"},"id":"message:2321891","revisionNum":1,"uid":2321891,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:2321891"},"body":"
This is what I thought I could do. The issue is, I need to change the status in Splunk and send the change to Sentinel. I don't have (and don't want to have) access to
the Sentinel instance, but I get the incidents ingested via Splunk TA
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"208","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-05-04T07:00:00.423-07:00","lastPublishTime":"2021-05-04T07:00:00.423-07:00","metrics":{"__typename":"MessageMetrics","views":35871},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2321891","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"ModerationData:moderation_data:2321874":{"__typename":"ModerationData","id":"moderation_data:2321874","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:2321874":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:729439"},"id":"message:2321874","revisionNum":1,"uid":2321874,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:2321874"},"body":"
I did it creating a rule on splunk that detects the incident status change and then used a webhook action on splunk to call other logic app url (that you need to create) to change the status, add comments, etc
Also, in my case, this incident status change is not from splunk itself, since we use other tool to track the incident.
This tool logs are on splunk.
Hope it helps.
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"213","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-05-04T06:49:12.077-07:00","lastPublishTime":"2021-05-04T06:49:12.077-07:00","metrics":{"__typename":"MessageMetrics","views":35870},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2321874","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"ModerationData:moderation_data:2321763":{"__typename":"ModerationData","id":"moderation_data:2321763","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:2321763":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:1044696"},"id":"message:2321763","revisionNum":1,"uid":2321763,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:2321763"},"body":"
Hi, nice writeup.
But I need one more step: How can I respond to Sentinel alerts via Splunk. Particularly, I need to change Sentinel incident status out of Splunk. Any idea would be appriciated
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"196","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-05-04T06:32:14.187-07:00","lastPublishTime":"2021-05-04T06:32:14.187-07:00","metrics":{"__typename":"MessageMetrics","views":35881},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2321763","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Rank:rank:36":{"__typename":"Rank","id":"rank:36","position":17,"name":"Brass Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:387181":{"__typename":"User","id":"user:387181","uid":387181,"login":"Joseph-Abraham","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2019-08-04T21:47:43.612-07:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-5.svg?time=0"},"rank":{"__ref":"Rank:rank:36"},"entityType":"USER","eventPath":"community:gxcuf89792/user:387181"},"ModerationData:moderation_data:2178892":{"__typename":"ModerationData","id":"moderation_data:2178892","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:2178892":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:387181"},"id":"message:2178892","revisionNum":1,"uid":2178892,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:2178892"},"body":"
Actually when I posted this question the Get Incident action had not been released.
It's possible now as you say.
Thanks again for your answer. 🙂
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"200","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-03-02T09:44:10.428-08:00","lastPublishTime":"2021-03-02T09:44:10.428-08:00","metrics":{"__typename":"MessageMetrics","views":39181},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2178892","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"ModerationData:moderation_data:2177555":{"__typename":"ModerationData","id":"moderation_data:2177555","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:2177555":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:729439"},"id":"message:2177555","revisionNum":1,"uid":2177555,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:2177555"},"body":"
Joseph-Abraham you can create a logic app that receives the alert ID (GET request) and gets the incident ID using the built-in sentinel incident conector ou using log analytics query.
With this you can response to the user a 302 redirect the browser to the incident URL.
Also, there are some alerts that are not in Sentinel yet and then you can get the user to the other portal.
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"203","kudosSumWeight":0,"repliesCount":0,"postTime":"2021-03-02T04:17:33.471-08:00","lastPublishTime":"2021-03-02T04:17:33.471-08:00","metrics":{"__typename":"MessageMetrics","views":39223},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:2177555","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Rank:rank:35":{"__typename":"Rank","id":"rank:35","position":16,"name":"Iron Contributor","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:522509":{"__typename":"User","id":"user:522509","uid":522509,"login":"SteveMiles70","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2020-01-17T05:37:50.100-08:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS01MjI1MDktMTcxNDY4aUE5NjhGNEVBMERBQUNDQkE"},"rank":{"__ref":"Rank:rank:35"},"entityType":"USER","eventPath":"community:gxcuf89792/user:522509"},"ModerationData:moderation_data:1448002":{"__typename":"ModerationData","id":"moderation_data:1448002","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:1448002":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:522509"},"id":"message:1448002","revisionNum":1,"uid":1448002,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:1448002"},"body":"
Thanks for the great info; sharing with my Linkedin Network
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"61","kudosSumWeight":0,"repliesCount":0,"postTime":"2020-06-08T03:42:17.110-07:00","lastPublishTime":"2020-06-08T03:42:17.110-07:00","metrics":{"__typename":"MessageMetrics","views":52997},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:1448002","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"ModerationData:moderation_data:1267466":{"__typename":"ModerationData","id":"moderation_data:1267466","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:1267466":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:387181"},"id":"message:1267466","revisionNum":2,"uid":1267466,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:1267466"},"body":"
The last bit of Incident ID in the URL, that is not present in the SecurityAlerts table. Needed to do this.
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"218","kudosSumWeight":0,"repliesCount":0,"postTime":"2020-03-31T03:43:57.293-07:00","lastPublishTime":"2020-03-31T03:44:54.331-07:00","metrics":{"__typename":"MessageMetrics","views":64168},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:1267466","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"User:user:576797":{"__typename":"User","id":"user:576797","uid":576797,"login":"Habeebk","biography":null,"registrationData":{"__typename":"RegistrationData","status":null,"registrationTime":"2020-03-07T19:22:40.456-08:00"},"deleted":false,"email":"","avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-11.svg?time=0"},"rank":{"__ref":"Rank:rank:37"},"entityType":"USER","eventPath":"community:gxcuf89792/user:576797"},"ModerationData:moderation_data:1216111":{"__typename":"ModerationData","id":"moderation_data:1216111","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":null,"rejectTime":null,"rejectActorType":null},"BlogReplyMessage:message:1216111":{"__typename":"BlogReplyMessage","author":{"__ref":"User:user:576797"},"id":"message:1216111","revisionNum":1,"uid":1216111,"depth":1,"hasGivenKudo":false,"subscribed":false,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"parent":{"__ref":"BlogTopicMessage:message:1211266"},"conversation":{"__ref":"Conversation:conversation:1211266"},"subject":"Re: Azure Sentinel in Side-by-Side with Splunk","moderationData":{"__ref":"ModerationData:moderation_data:1216111"},"body":"
","body@stripHtml({\"removeProcessingText\":false,\"removeSpoilerMarkup\":false,\"removeTocMarkup\":false,\"truncateLength\":200})@stringLength":"41","kudosSumWeight":0,"repliesCount":0,"postTime":"2020-03-07T19:25:35.906-08:00","lastPublishTime":"2020-03-07T19:25:35.906-08:00","metrics":{"__typename":"MessageMetrics","views":72272},"visibilityScope":"PUBLIC","placeholder":false,"originalMessageForPlaceholder":null,"entityType":"BLOG_REPLY","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:1211266/message:1216111","replies":{"__typename":"MessageConnection","pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":[]},"customFields":[],"attachments":{"__typename":"AttachmentConnection","edges":[],"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1744658876111","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1744658876111","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1744658876111","value":{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1744658876111","value":{"nodeTitle":"{nodeTitle, select, community {Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1744658876111","value":{"minReadText":"{min} MIN READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1744658876111","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1744658876111","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1744658876111","value":{"rankName":"{rankName}","userRank":"Author rank {rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1744658876111","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1744658876111","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1744658876111","value":{"CustomField.default.label":"Value of {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1744658876111","value":{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}} {date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.{minor}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1744658876111","value":{"repliesCount":"{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:root":"Comment","title@board:OCCASION@message:root":"Comment"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1744658876111","value":{"sendMessage":"Send Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name} {type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1744658876111","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1744658876111","value":{"altTitle":"Icon for {rankName} rank"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1744658876111","value":{"noPrefix":"{date}","withPrefix":"Joined {date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1744658876111","value":{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1744658876111","value":{"description":"{description}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMorePreviousNextLinkable-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Pager/PagerLoadMorePreviousNextLinkable-1744658876111","value":{"loadMore":"Show More"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1744658876111","value":{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1744658876111":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1744658876111","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":{"boardId":"microsoftsentinelblog","messageSubject":"azure-sentinel-side-by-side-with-splunk","messageId":"1211266"},"buildId":"HEhyUrv5OXNBIbfCLaOrw","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.1.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/blogs/BlogArticleWidget/BlogArticleWidget.tsx","./components/external/components/ExternalComponent.tsx","./components/messages/MessageView/MessageViewStandard/MessageViewStandard.tsx","./components/messages/ThreadedReplyList/ThreadedReplyList.tsx","../shared/client/components/common/List/UnstyledList/UnstyledList.tsx","./components/messages/MessageView/MessageView.tsx","../shared/client/components/common/Pager/PagerLoadMorePreviousNextLinkable/PagerLoadMorePreviousNextLinkable.tsx","../shared/client/components/common/List/UnwrappedList/UnwrappedList.tsx","./components/tags/TagView/TagView.tsx","./components/tags/TagView/TagViewChip/TagViewChip.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=BlogMessagePage&entity.id=board%3Amicrosoftsentinelblog&entity.id=message%3A1211266","strategy":"afterInteractive"}]}
Microsoft
