%3CLINGO-SUB%20id%3D%22lingo-sub-1456976%22%20slang%3D%22en-US%22%3ESending%20alerts%20enriched%20with%20supporting%20events%20from%20Azure%20Sentinel%20to%203rd%20party%20SIEMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1456976%22%20slang%3D%22en-US%22%3E%3CP%3ESpecial%20thanks%20to%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3Eand%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239761%22%20target%3D%22_blank%22%3E%40Alp%20Babayigit%3C%2FA%3E%20that%20collaborating%20with%20me%20on%20this%20blog%20post.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20blog%20post%20we%20will%20introduce%20a%20solution%20which%20uses%20Logic%20Apps%20to%20automatically%20attach%20evidence%20to%20Azure%20Sentinel%20alerts%20and%20send%20them%20to%20an%20Event%20Hub%20that%20can%20be%20consumed%20by%20a%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SIEM%20solution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%20id%3D%22toc-hId--1325750734%22%3EUsing%20Sentinel%20alongside%20a%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SIEM%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20our%20customers%20engagements%20we%20learned%20that%20sometimes%20customers%20prefer%20to%20maintain%20their%20existing%20SIEM%20alongside%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAmong%20the%20reasons%20for%20doing%20so%20are%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUsing%20Azure%20Sentinel%20as%20a%20cloud%20SIEM%20alongside%20the%20existing%20SIEM%20to%20monitor%20on-prem%20workloads.%3C%2FLI%3E%0A%3CLI%3EUsing%20both%20during%20the%20transition%20period.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETraditionally%2C%20customers%20forwarded%20alerts%20from%20Azure%20Sentinel%20to%20their%20existing%20SIEM%20using%20the%20Graph%20Security%20API.%20You%20can%20do%20so%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-side-by-side-with-splunk%2Fba-p%2F1211266%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESplunk%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2FSS42VS_DSM%2Fcom.ibm.dsm.doc%2Fc_logsource_Microsoft_Graph_Security_protocol.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EQRadar%3C%2FA%3E%20or%20any%20other%20SIEM%20that%20supports%20Event%20Hub%20ingestion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20in%20a%20side%20by%20side%20deployment%2C%20alerts%20from%20one%20platform%20need%20to%20be%20sent%20to%20the%20other%20to%20enable%20a%20single%20pane%20of%20glass%20for%20the%20analyst.%20To%20ensure%20efficient%20triaging%20on%20the%20primary%20pane%20of%20glass%2C%20the%20alerts%20have%20to%20include%20enough%20supporting%20information.%20When%20the%203%3CSUP%3Erd%3C%2FSUP%3E%20Party%20SIEM%20is%20used%20as%20the%20primary%20pane%20of%20glass%2C%20this%20translates%20to%20sending%20both%20Azure%20Sentinel%20alerts%20and%20their%20supporting%20events%20to%20the%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SIEM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20428px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198177i44AD4582F64AFE74%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20press%20%E2%80%9CEvents%E2%80%9D%2C%20you%20are%20redirected%20to%20the%20%E2%80%9CLogs%E2%80%9D%20screen%20to%20view%20the%20supporting%20events%20relevant%20to%20the%20alert.%20Those%20can%20be%2C%20but%20are%20not%20necessarily%2C%20raw%20events%20collected%20by%20Azure%20Sentinel.%20Instead%2C%20the%20alert%20rule%20determines%20what%20to%20present%20as%20supporting%20events.%20Learn%20more%20about%20how%20a%20rule%20controls%20the%20supporting%20evidence%20in%20the%20Azure%20Sentinel%20KQL%20lab%20(%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FEDCBLULjtCM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EYouTube%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2F1drv.ms%2Fb%2Fs!AnEPjr8tHcNmglv8tSAPPa70Ze67%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edeck%3C%2FA%3E)%20and%20the%20Azure%20Sentinel%20rule%20writing%20Webinar%20(%3CA%20href%3D%22https%3A%2F%2Fyoutu.be%2FpJjljBT4ipQ%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EYouTube%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2F1drv.ms%2Fb%2Fs!AnEPjr8tHcNmgkEiFEPLfjAdSAO5%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edeck%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3EAs%20an%20example%2C%20the%20following%20alert%20rule%20taken%20from%20the%20KQL%20Lab%20uses%20the%20summarize%20and%20extend%20keywords%20to%20produce%20just%20the%20data%20relevant%20to%20the%20detected%20anomalies%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198178iCC87941DBB219D00%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%20id%3D%22toc-hId-1161762099%22%3EForwarding%20alerts%20with%20supporting%20events%20to%20an%20Event%20Hub%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20article%2C%20we%20demonstrate%20how%20to%20use%20Azure%20sentinel%20SOAR%20capability%20and%20leverage%20a%20Logic%20App%20playbook%20to%20send%20alerts%20with%20their%20associated%20supporting%20events%20to%20a%203rd%20party%20SIEM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F198180i55FD61FEB143A369%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20playbook%2C%20available%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FGet-SentinelAlertsEvidence%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20works%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20playbook%20triggers%20when%20an%20alert%20is%20created%20(1)%2C%20this%20can%20be%20done%20automatically%20for%20each%20alert%20when%20it%20triggers%2C%20or%20on-demand%20by%20an%20analyst.%3C%2FLI%3E%0A%3CLI%3EParse%20JSON%20actions%20are%20used%20throughout%20the%20playbook%20to%20transform%20JSON%20objects%20received%20to%20the%20format%20expected%20in%20subsequent%20steps.%3C%2FLI%3E%0A%3CLI%3EQuery%20the%20workspace%20for%20the%20supporting%20events%20(2).%20Note%20that%20the%20query%20to%20fetch%20the%20supporting%20events%20is%20included%20as%20part%20of%20the%20alert%20extended%20properties.%3C%2FLI%3E%0A%3CLI%3ESend%20the%20enriched%20alert%20to%20an%20Event%20Hub%20(3).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20JSON%20that%20is%20sent%20to%20the%20Event%20Hub%20looks%20as%20below.%20The%20%E2%80%9CSupportingEvents%E2%80%9D%20attribute%20is%20added%20by%20the%20Playbook%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22Alert%22%3A%20%22AD%20user%20created%20password%20not%20set%20within%2024-48%20hours%22%2C%0A%20%20%20%20%22AlertsDescription%22%3A%20%22Identifies%20whenever%20a%20new%20account%20is%20created%20with%20a%20%E2%80%A6%22%2C%0A%E2%80%A6%20additional%20alert%20fields%0A%20%20%20%20%22AlertEntites%22%3A%20%0A%22%20%5B%7B%20%0A%20%20%22%20%24id%20%22%3A%20%22%203%20%22%2C%0A%20%20%22%20DnsDomain%20%22%3A%20%22%20Contoso.Azure%20%22%2C%0A%20%20%22%20HostName%20%22%3A%20%22%20ContosoDc%20%22%2C%0A%20%20%22%20Type%20%22%3A%20%22%20host%20%22%0A%20%7D%2C%20%7B%0A%20%20%22%20%24id%20%22%3A%20%22%204%20%22%2C%0A%20%20%22%20Name%20%22%3A%20%22%20MSOL_d9f03d5ca7ff%20%22%2C%0A%20%20%22%20Type%20%22%3A%20%22%20account%20%22%0A%20%5D%20%22%2C%0A%20%20%20%20%22Events%22%3A%20%0A%22%20%5B%7B%0A%20%20%22%20StartTimeUtc%20%22%3A%20%22%202020%20-%2006%20-%2002T17%3A%2003%3A%2016.44Z%20%22%2C%0A%20%20%22%20EventID%20%22%3A%204722%2C%0A%20%20%22%20Computer%20%22%3A%20%22%20ContosoDc.Contoso.Azure%20%22%2C%0A%20%20%22%20TargetUserName%20%22%3A%20%22%20XXX%20%22%2C%0A%20%20%22%20TargetDomainName%20%22%3A%20%22%20CONTOSO%20%22%2C%0A%20%20%22%20SubjectUserName%20%22%3A%20%22%20ContosoAdmin%20%22%2C%0A%20%20%22%20timestamp%20%22%3A%20%22%202020%20-%2006%20-%2002T17%3A%2003%3A%2016.44Z%20%22%2C%0A%20%20%22%20AccountCustomEntity%20%22%3A%20%22%20XXX%20%22%2C%0A%20%20%22%20HostCustomEntity%20%22%3A%20%22%20ContosoDc.Contoso.Azure%20%22%0A%20%7D%2C%20%7B%0A%20%20%22%20StartTimeUtc%20%22%3A%20%22%202020%20-%2006%20-%2002T16%3A%2029%3A%2056.963Z%20%22%2C%0A%20%20%22%20EventID%20%22%3A%204722%2C%0A%20%20%22%20Computer%20%22%3A%20%22%20ContosoDc.Contoso.Azure%20%22%2C%0A%20%20%22%20TargetUserName%20%22%3A%20%22%20XXX%20%22%2C%0A%20%20%22%20TargetDomainName%20%22%3A%20%22%20CONTOSO%20%22%2C%0A%20%20%22%20SubjectUserName%20%22%3A%20%22%20ContosoAdmin%20%22%2C%0A%20%20%22%20timestamp%20%22%3A%20%22%202020%20-%2006%20-%2002T16%3A%2029%3A%2056.963Z%20%22%2C%0A%20%20%22%20AccountCustomEntity%20%22%3A%20%22%20XXX%20%22%2C%0A%20%20%22%20HostCustomEntity%20%22%3A%20%22%20ContosoDc.Contoso.Azure%20%22%0A%20%7D%5D%22%0A%7D%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%20id%3D%22toc-hId--645692364%22%3EDeploying%20the%20solution%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20an%20Event%20Hub%20using%20the%20article%20%E2%80%9C-ERR%3AREF-NOT-FOUND-Create%20an%20event%20hub%20using%20Azure%20portal%E2%80%9D%20or%20use%20an%20existing%20Event%20Hub.%3C%2FLI%3E%0A%3CLI%3EGo%20to%20the%20Playbook%20GitHub%20page.%3C%2FLI%3E%0A%3CLI%3EPress%20the%20%E2%80%9Cdeploy%20to%20Azure%E2%80%9D%20button.%3C%2FLI%3E%0A%3CLI%3EOnce%20the%20playbook%20is%20deployed%2C%20modify%20the%20%E2%80%9CRun%20query%20and%20list%20results%E2%80%9D%20action%20(2)%20and%20point%20it%20to%20your%20Azure%20sentinel%20workspace.%3C%2FLI%3E%0A%3CLI%3ENext%2C%20configure%20the%20%E2%80%9Csend%20event%E2%80%9D%20action%20(3)%20to%20use%20your%20Event%20Hub.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%20id%3D%22toc-hId-1841820469%22%3EConnect%20to%20your%203rd%20party%20SIEM%3C%2FH2%3E%0A%3CP%3EMost%2C%20if%20not%20all%2C%20SIEMs%20can%20consume%20the%20alerts%20from%20an%20Event%20Hub.%20Consult%20with%20your%20SIEM%20vendor%20on%20how.%20The%20following%20are%20instructions%20for%20consuming%20the%20alerts%20from%20the%20Event%20Hub%20to%20popular%20SIEM%20platforms%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESplunk%20can%20be%26nbsp%3B-ERR%3AREF-NOT-FOUND-found%20here%3C%2FLI%3E%0A%3CLI%3EQRadar%20can%20be%26nbsp%3B-ERR%3AREF-NOT-FOUND-found%20here%3C%2FLI%3E%0A%3CLI%3EArcSight%20can%20be%26nbsp%3B-ERR%3AREF-NOT-FOUND-found%20here%3C%2FLI%3E%0A%3CLI%3EMcAfee%20can%20be%26nbsp%3B-ERR%3AREF-NOT-FOUND-found%20here%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%20id%3D%22toc-hId-34366006%22%3ESummary%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20just%20walked%20through%20the%20process%20of%20how%20enrichment%20can%20be%20done%20on%20Azure%20Sentinel%20level%20by%20leveraging%20could%20native%20capabilities%20in%20Azure%20before%20forwarding%20to%203rd%20Party%20SIEM.%20Stay%20tuned%20for%20more%20us%20cases%20in%20our%20Blog%20channel!%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1456976%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20blog%20post%20we%20will%20introduce%20a%20solution%20which%20uses%20Logic%20Apps%20to%20automatically%20attach%20evidence%20to%20Azure%20Sentinel%20alerts%20and%20send%20them%20to%20an%20Event%20Hub%20that%20can%20be%20consumed%20by%20a%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SIEM%20solution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1458346%22%20slang%3D%22en-US%22%3ERe%3A%20Sending%20alerts%20enriched%20with%20supporting%20events%20from%20Azure%20Sentinel%20to%203rd%20party%20SIEMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1458346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239761%22%20target%3D%22_blank%22%3E%40Alp%20Babayigit%3C%2FA%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThat%20is%20a%20lot%20of%20parsing%20going%20on%20there!%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Flaugh_40x40.gif%22%20alt%3D%22%3Alol%3A%22%20title%3D%22%3Alol%3A%22%20%2F%3E%20I%20have%20the%20same%20struggle%20when%20pushing%20data%20from%20Log%20Analytics%20to%20Logic%20Apps%20since%20the%20data%20is%20wrapped%20in%20tables%20and%20rows.%20What%20is%20the%20best%20way%20yo%20handle%20this%3F%20Any%20tips%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Special thanks to @Ofer_Shezaf and @Alp Babayigit that collaborating with me on this blog post.

 

In the blog post we will introduce a solution which uses Logic Apps to automatically attach evidence to Azure Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEMs and Ticketing Systems.

 

Using Sentinel alongside a 3rd party SIEM and ticketing systems

 

From our customers engagements we learned that sometimes customers prefer to maintain their existing SIEM alongside Azure Sentinel.

 

Among the reasons for doing so are:

  • Using Azure Sentinel as a cloud SIEM alongside the existing SIEM to monitor on-prem workloads.
  • Using both during the transition period.

 

In addition, customers often use a ticketing system, such as Service Now or JIRA to manage incidents at the SOC and need to forward alert information to those systems.

 

Traditionally, customers forwarded alerts from Azure Sentinel to their existing SIEM or ticketing systems using the Graph Security API. You can do so for Splunk, QRadar, Service Now or any other SIEM or Ticketing System that supports Event Hub ingestion.

 

Azure Sentinel supporting evidence

 

However, in a side by side deployment, alerts from one platform need to be sent to the other to enable a single pane of glass for the analyst. To ensure efficient triaging on the primary pane of glass, the alerts have to include enough supporting information. When the 3rd Party SIEM or ticketing system is used as the primary pane of glass, this translates to sending both Azure Sentinel alerts and their supporting events to this system.

 

1.png

 

When you press “Events”, you are redirected to the “Logs” screen to view the supporting events relevant to the alert. Those can be, but are not necessarily, raw events collected by Azure Sentinel. Instead, the alert rule determines what to present as supporting events. Learn more about how a rule controls the supporting evidence in the Azure Sentinel KQL lab (YouTubedeck) and the Azure Sentinel rule writing Webinar (YouTubedeck).

 

As an example, the following alert rule taken from the KQL Lab uses the summarize and extend keywords to produce just the data relevant to the detected anomalies:

 

2.png

Forwarding alerts with supporting events to an Event Hub

 

In this article, we demonstrate how to use Azure sentinel SOAR capability and leverage a Logic App playbook to send alerts with their associated supporting events to a 3rd party SIEM.

 

3.png

 

The playbook, available here, works as follows:

  • The playbook triggers when an alert is created (1), this can be done automatically for each alert when it triggers, or on-demand by an analyst.
  • Parse JSON actions are used throughout the playbook to transform JSON objects received to the format expected in subsequent steps.
  • Query the workspace for the supporting events (2). Note that the query to fetch the supporting events is included as part of the alert extended properties.
  • Send the enriched alert to an Event Hub (3).

 

The JSON that is sent to the Event Hub looks as below. The “SupportingEvents” attribute is added by the Playbook

 

 

 

{
    "Alert": "AD user created password not set within 24-48 hours",
    "AlertsDescription": "Identifies whenever a new account is created with a …",
… additional alert fields
    "AlertEntites": 
" [{ 
		" $id ": " 3 ",
		" DnsDomain ": " Contoso.Azure ",
		" HostName ": " ContosoDc ",
		" Type ": " host "
	}, {
		" $id ": " 4 ",
		" Name ": " MSOL_d9f03d5ca7ff ",
		" Type ": " account "
	] ",
    "Events": 
" [{
		" StartTimeUtc ": " 2020 - 06 - 02T17: 03: 16.44Z ",
		" EventID ": 4722,
		" Computer ": " ContosoDc.Contoso.Azure ",
		" TargetUserName ": " XXX ",
		" TargetDomainName ": " CONTOSO ",
		" SubjectUserName ": " ContosoAdmin ",
		" timestamp ": " 2020 - 06 - 02T17: 03: 16.44Z ",
		" AccountCustomEntity ": " XXX ",
		" HostCustomEntity ": " ContosoDc.Contoso.Azure "
	}, {
		" StartTimeUtc ": " 2020 - 06 - 02T16: 29: 56.963Z ",
		" EventID ": 4722,
		" Computer ": " ContosoDc.Contoso.Azure ",
		" TargetUserName ": " XXX ",
		" TargetDomainName ": " CONTOSO ",
		" SubjectUserName ": " ContosoAdmin ",
		" timestamp ": " 2020 - 06 - 02T16: 29: 56.963Z ",
		" AccountCustomEntity ": " XXX ",
		" HostCustomEntity ": " ContosoDc.Contoso.Azure "
	}]"
}

 

 

 

 

 

 

 

 

 

Deploying the solution

  • Create an Event Hub using the article “Create an event hub using Azure portal” or use an existing Event Hub.
  • Go to the Playbook GitHub page.
  • Press the “deploy to Azure” button.
  • Once the playbook is deployed, modify the “Run query and list results” action (2) and point it to your Azure sentinel workspace.
  • Next, configure the “send event” action (3) to use your Event Hub.

 

Connect to your 3rd party SIEM or ticketing system

 

Most, if not all, SIEMs can consume the alerts from an Event Hub. Consult with your SIEM vendor on how. The following are instructions for consuming the alerts from the Event Hub to popular SIEM platforms:

 

Alternatively, if your SIEM or ticketing system supports an API, you may be able to connect directly from the Logic App playbook to your SIEM using the Logic App HTTP connector, or, if available a dedicated connector such as those available for Service Now or Jira

 

Summary

 

We just walked through the process of how enrichment can be done on Azure Sentinel level by leveraging could native capabilities in Azure before forwarding to 3rd Party SIEM or to a ticketing system. Stay tuned for more us cases in our Blog channel!

 

Thanks

9 Comments
Frequent Contributor

@Yaniv Shasha@Ofer_Shezaf  @Alp Babayigit 

 

That is a lot of parsing going on there! :lol: I have the same struggle when pushing data from Log Analytics to Logic Apps since the data is wrapped in tables and rows. What is the best way yo handle this? Any tips?

Occasional Visitor

@JanBakker330 , 

The Sentinel trigger brings the alert rule related data and running it on Log analytics using query extended options gets the events.

So do you mean pushing data from Log analytics to Event grid instead?

Its always an array from log analytics output with proper json objects which should be easy to deal with.

Can you kindly ellaborate your issue?

Frequent Contributor

@MaheshMarthi  I'm talking about this scenario : https://gregramsey.net/2020/04/13/processing-an-azure-alert-with-a-logic-app/

 

In this blog, the JSON is parsed with powershell using an Azure function, but that seems a bit of a detour. As the writer of the blog mentions, he has no better option for it yet. The data is indeed in JSON format, but the values that matter to me are all stuffed in one single row. See this example. 

 

That is not easy to parse.

Like to hear your ideas! Thanks

Occasional Visitor

@JanBakker330 ,

I have done some work on this.

Below is the logic app over view

MaheshMarthi_0-1592903974155.png

 
 

 

 

Input is taken as a string it is the whole json from here (as you mentioned).

Then I parsed it.

Inside foreach loop I used json(items('For_each_entry_in_input')?['Properties']) . You can use this parsed json to perform required actions.

or it can be added to an array variable like i did to get all the json in an array.

 

 

Occasional Visitor

Hi @Yaniv Shasha , @MaheshMarthi 

 

I have a ticketing system to which I need to push alerts from Azure Sentinel. The ticketing system is set up to use Azure webhook alerts.

How would I change your above logic app to address my situation?

 

Frequent Contributor

@MaheshMarthi do you mind sharing the details on the logic app steps with us? Thanks!

Occasional Visitor

@HetashParmar . 

You have option to use Incident APIs available here.

https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

You can poll incidents using these APIs and get relevant info and push to your ITSM

Occasional Visitor

@JanBakker330 Please find the Arm template here : https://github.com/maheshmarthi/PublicSamples

Occasional Visitor

@HetashParmar You can use Incident APIs available hee

https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma... to poll incidents and push data to your ITSM