SOLVED

Integration of Sentinel with other 3rd party on-prem SIEM solutions (stream alerts to eventhub)

%3CLINGO-SUB%20id%3D%22lingo-sub-400690%22%20slang%3D%22en-US%22%3EIntegration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-400690%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Sentinel%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20if%20anyone%20already%20explored%20the%20possibilities%20of%20integrating%20sentinel%20Alerts%20with%20other%20SIEM%20solutions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20Example%20could%20be%20for%20customers%20which%20want%20to%20leverage%20Sentinel%20for%20their%20Azure%20cloud%20environments%20but%20still%20need%20their%20on%20Premies%20SIEM%20solutions%20to%20receive%20logs%20also%20from%20other%20logs%20sources.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20option%20could%20be%20to%20stream%20Sentinel%20Alerts%20to%20Azure%20EventHub%20and%20then%20use%20the%20EventHub%20as%20log%20source%20in%20the%20on%20prem%20SIEM.%20Is%20this%20something%20supported%20on%20Sentinel%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3Eregards%2C%3CBR%20%2F%3E%3CBR%20%2F%3EManuel%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-402219%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-402219%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%2C%20great%20meeting%20you%20again%20too!%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20your%20reply%2C%20I'll%20try%20the%20Security%20Graph%20API%20for%20now%2C%20I%20didn't%20know%20about%20this%20feature!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401478%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401478%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%2C%26nbsp%3Bgreat%20meeting%20you%20again!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%20and%20no.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EForwarding%20alerts%20to%20an%20event%20hub%20is%20supported.%20You%20can%20use%20one%20of%20several%20ways%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERun%20a%20Logic%20App%20scheduled%20playbook%20to%20read%20alerts%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Fazureloganalytics%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELog%20Analytics%20connector%3C%2FA%3E%26nbsp%3Band%20then%20write%20them%20to%20an%20event%20hub%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fth-th%2Fazure%2Fconnectors%2Fconnectors-create-api-azure-event-hubs%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EEvent%20Hub%20connector.%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3ESoon%20you%20will%20be%20able%20to%20do%20it%20by%20running%20a%20playbook%20automatically%20when%20an%20alert%20triggers.%3C%2FLI%3E%0A%3CLI%3ELastly%2C%20you%20can%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fsecurity-siemintegration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20the%20Security%20Graph%20API%3C%2FA%3E.%20Note%20that%20this%20will%20send%20all%20Azure%20alerts%20to%20your%20SIEM%2C%20not%20just%20Sentinel's.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhy%20no%3F%20because%20what%20you%20really%20want%20to%20send%20are%20cases%20and%20not%20alerts%2C%20which%20are%20automatically%20aggregated%20and%20reduced%20alerts.%20We%20are%20working%20to%20make%20sure%20those%20can%20be%20sent%20to%20a%20SIEM%20as%20well.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401087%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401087%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20help%20with%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1167585%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1167585%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%26nbsp%3B%2F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%2C%20is%20there%20any%20update%20on%20the%20ability%20to%20integrate%20outputs%20from%20Sentinel%20with%20other%20SIEMs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1168723%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1168723%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F553784%22%20target%3D%22_blank%22%3E%40isfleming%3C%2FA%3E%26nbsp%3B%3A%20no%20updated%20here.%20That%20is%20apart%20from%20the%20fact%20that%20automated%20triggering%20of%20playbooks%20was%20released%20of%20course.%20What%20are%20you%20find%20lacking%20in%20the%20solutions%20above%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1168739%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1168739%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F553784%22%20target%3D%22_blank%22%3E%40isfleming%3C%2FA%3E%26nbsp%3BStreaming%20Security%26nbsp%3BGraph%20events%20(Including%20Sentinel%20Incidents)%20to%20EventHub%20works.%20I%20believe%20that%20Pulling%20events%20from%20EventHub%20into%20your%20SIEM%20is%20supported%20by%20most%20SIEM%20vendors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20anyway%20something%20like%20%22continuous%20export%22%20for%20Azure%20Security%20Center%20will%20be%20an%20option%20for%20Sentinel%20as%20well%26nbsp%3B%20for%20easier%20integration%20and%20troubleshooting%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fcontinuous-export%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fcontinuous-export%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169450%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169450%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3Ethanks%20for%20the%20quick%20reply.%20I%20have%20not%20started%20working%20with%20this%20integration%20as%20yet.%20I%20am%20trying%20to%20determine%20what%20the%20requirements%20are%20for%20the%20data%20and%20what%20options%20there%20are%20to%20obtain%20it.%20Hopefully%20there%20will%20be%20nothing%20lacking.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169455%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169455%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%26nbsp%3B%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371422%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371422%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20hey%20i%20have%20one%20question%3A%20i%20am%20new%20in%20azure%20sentinel%2C%20and%20i%20want%20to%20know%20what%20is%20the%20difference%20between%20using%20MMA%20agent%20and%20Using%20syslogs%20in%20adding%203d%20party%20ressource%3C%2FP%3E%3CP%3Ethank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1377885%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1377885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F659828%22%20target%3D%22_blank%22%3E%40BMaro%3C%2FA%3E%20Syslog%20is%20used%20for%20remote%20collection%20for%20systems%20that%20support%20it%20(which%20is%20most%20networking%20and%20security%20systems).%20The%20MMA%20(or%20Log%20Analytics%20Agent)%2C%20is%20our%20software%20for%20collecting%20both%20Syslog%20as%20well%20as%20local%20telemetry%20on%20the%20system%20the%20MMA%20is%20installed%20on.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1378312%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20of%20Sentinel%20with%20other%203rd%20party%20on-prem%20SIEM%20solutions%20(stream%20alerts%20to%20eventhub)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1378312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305417%22%20target%3D%22_blank%22%3E%40Manuel_DEste%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20sending%20logs%20to%20other%20SIEMs%2C%20Sentinel%20might%20not%20be%20the%20best%20tool%20as%20most%20of%20the%20SIEMs%20have%20their%20own%20ways%20(though%20in%20many%20cases%20not%20very%20robust)%20of%20bringing%20logigng%20data%20from%20the%20cloud.%20There%20is%20also%20a%20bandwidth%20cost%20to%20take%20data%20out%20of%20the%20cloud%2C%20might%20be%20negligible%20for%20small%20logs%20but%20it%20all%20adds%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20for%20a%20subset%20of%20alerts%2C%20filtered%20as%20part%20of%20a%20use%20case%20(basically%20the%20output%20of%20an%20alert)%20one%20can%20get%20really%20creative.%20You%20can%20the%20available%20APIs%20(like%20Log%20Analytics%20REST%20API)%20to%20bring%20any%20kind%20of%20data%20from%20Sentinel%20and%20then%20send%20it%20through%20a%20logging%20tool%20like%20Logstash%20to%20a%20wide%20variety%20of%20destinations%2C%20including%20syslog%2C%20ELK%2C%20etc.%20I've%20also%20seen%20alerts%20being%20sent%20to%20other%20SIEMs%20through%20a%20specially%20crafter%20SMTP%20email%20(there%20is%20a%20native%20LogicApp%20connector%20for%20it).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Dear Sentinel community,

 

I'm wondering if anyone already explored the possibilities of integrating sentinel Alerts with other SIEM solutions. 

 

An Example could be for customers which want to leverage Sentinel for their Azure cloud environments but still need their on Premies SIEM solutions to receive logs also from other logs sources. 

 

One option could be to stream Sentinel Alerts to Azure EventHub and then use the EventHub as log source in the on prem SIEM. Is this something supported on Sentinel? 


regards,

Manuel  

11 Replies
Highlighted
Highlighted
Best Response confirmed by Manuel_DEste (Occasional Contributor)
Solution

Hi @Manuel_DEste, great meeting you again!

 

Yes and no.

 

Forwarding alerts to an event hub is supported. You can use one of several ways:

  • Run a Logic App scheduled playbook to read alerts using the Log Analytics connector and then write them to an event hub using the Event Hub connector.
  • Soon you will be able to do it by running a playbook automatically when an alert triggers.
  • Lastly, you can Use the Security Graph API. Note that this will send all Azure alerts to your SIEM, not just Sentinel's.

Why no? because what you really want to send are cases and not alerts, which are automatically aggregated and reduced alerts. We are working to make sure those can be sent to a SIEM as well. 

Highlighted

 Hi @Ofer_Shezaf, great meeting you again too!

Thank you for your reply, I'll try the Security Graph API for now, I didn't know about this feature!

 

 

 

 

Highlighted

@Manuel_DEste / @Ofer_Shezaf , is there any update on the ability to integrate outputs from Sentinel with other SIEMs?

 

Thanks.

Highlighted

@isfleming : no updated here. That is apart from the fact that automated triggering of playbooks was released of course. What are you find lacking in the solutions above?

 

~ Ofer

Highlighted

@isfleming Streaming Security Graph events (Including Sentinel Incidents) to EventHub works. I believe that Pulling events from EventHub into your SIEM is supported by most SIEM vendors.

 

I hope anyway something like "continuous export" for Azure Security Center will be an option for Sentinel as well  for easier integration and troubleshooting https://docs.microsoft.com/en-us/azure/security-center/continuous-export

 

 

Highlighted

@Ofer_Shezafthanks for the quick reply. I have not started working with this integration as yet. I am trying to determine what the requirements are for the data and what options there are to obtain it. Hopefully there will be nothing lacking. :)

Highlighted

@Ofer_Shezaf  hey i have one question: i am new in azure sentinel, and i want to know what is the difference between using MMA agent and Using syslogs in adding 3d party ressource

thank you

Highlighted

@BMaro Syslog is used for remote collection for systems that support it (which is most networking and security systems). The MMA (or Log Analytics Agent), is our software for collecting both Syslog as well as local telemetry on the system the MMA is installed on.

Highlighted

@Manuel_DEste 

 

For sending logs to other SIEMs, Sentinel might not be the best tool as most of the SIEMs have their own ways (though in many cases not very robust) of bringing logigng data from the cloud. There is also a bandwidth cost to take data out of the cloud, might be negligible for small logs but it all adds up.

 

However, for a subset of alerts, filtered as part of a use case (basically the output of an alert) one can get really creative. You can the available APIs (like Log Analytics REST API) to bring any kind of data from Sentinel and then send it through a logging tool like Logstash to a wide variety of destinations, including syslog, ELK, etc. I've also seen alerts being sent to other SIEMs through a specially crafter SMTP email (there is a native LogicApp connector for it).