cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Splunk logs on Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1121770%22%20slang%3D%22en-US%22%3ESplunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121770%22%20slang%3D%22en-US%22%3E%3CP%3ETeam%20please%20confirm%20whether%20Splunk%20logs%20can%20be%20send%20on%20Azure%20Sentinel%20if%20yes%20how%20and%20where%20we%20can%20see%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121998%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121998%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526525%22%20target%3D%22_blank%22%3E%40Anurag65%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMost%20customers%2C%20send%20the%20data%20(in%20my%20experience)%20from%20the%20source%20to%20one%20or%20both%20SIEM%20tools%2C%20rather%20than%20SIEM%20to%20SIEM%20-%20for%20which%20both%20have%20APIs%20you%20can%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130648%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130648%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F526525%22%20target%3D%22_blank%22%3E%40Anurag65%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3A%20we%20do%20see%20customers%20who%20prefer%20to%20reuse%20their%20existing%20collection%20infrastructure%20and%20hence%20send%20logs%20from%20a%20current%20SIEM%20to%20Sentinel.%20Splunk%20specifically%20supports%20forwarding%20events%20in%20CEF%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2Fapp%2F1847%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ESplunk%20CEF%20app%3C%2FA%3E.%20You%20can%20also%20%3CA%20href%3D%22https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FSplunk%2F6.0%2FForwarding%2FForwarddatatothird-partysystemsd%23Syslog_dat%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eforward%20directly%20from%20a%20forwarder%3C%2FA%3E%20using%20Syslog.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1161239%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1161239%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BI'm%20more%20interested%20in%20seeing%20it%20go%20the%20other%20way%2C%20how%20can%20I%20send%20the%20Sentinel%20Alerts%20to%20Splunk%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1162588%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1162588%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%3A%20Either%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurity-api-overview%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGraph%20Security%20API%3C%2FA%3E%20or%20A%20logic%20App%20playbook.%20The%20former%20is%20more%20straight%20forward%2C%20but%20the%20letter%20allows%20more%20control.%20For%20example%20you%20will%20be%20able%20to%20get%20the%20back%20events%20with%20the%20alert.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1356915%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1356915%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EHi%20there.%20I%20am%20working%20my%20way%20thru%20the%20Sentinel%20Ninja%20training%20in%20preparation%20for%20being%20involved%20in%20a%20Sentinel%20PoC%20where%20the%20client%20wants%20to%20use%20their%20existing%20SPLUNK%20data%20collection%20as%20the%20source%20for%20Sentinel%20rather%20than%20establish%20new%20collector%20agents%20or%20even%20to%20forward%20from%20their%20existing%20collector%20agents.%3C%2FP%3E%3CP%3ECan%20you%20point%20me%20to%20any%20detailed%20explanation%20of%20the%20steps%20involved%20at%20both%20ends%20(Splunk%20%26amp%3B%20Azure)%20to%20get%20the%20data%20transfer%20established%2C%20so%20as%20to%20best%20showcase%20the%20strengths%20of%20Sentinel%3F%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20frequently%20the%20discussions%20are%20about%20getting%20data%20from%20Azure%20INTO%20Splunk%20not%20the%20other%20way%20round.%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20for%20Sentinel%20to%20access%20the%20collected%20raw%20data%20direct%20from%20Splunk%20as%20it%20seems%20that%20the%20CEF%20connector%20will%20present%20a%20filtered%20view%20of%20the%20events%20...%20or%20am%20I%20missing%20the%20point%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHaving%20read%20thru%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fbs-latn-ba%2Fazure%2Fsentinel%2Fconnect-common-event-format%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fbs-latn-ba%2Fazure%2Fsentinel%2Fconnect-common-event-format%3C%2FA%3E%3C%2FP%3E%3CP%3Eand%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FCEFapp%2F2.3.0%2FDeployCEFapp%2FAboutSplunkAppforCEF%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FCEFapp%2F2.3.0%2FDeployCEFapp%2FAboutSplunkAppforCEF%3C%2FA%3E%3C%2FP%3E%3CP%3EIt%20would%20be%20great%20to%20see%20a%20worked%20use%20case%20of%20this%20Sentinel%20enrichment%20implementation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1356988%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1356988%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646246%22%20target%3D%22_blank%22%3E%40AutomationMan%3C%2FA%3E%26nbsp%3B%3A%20I%20don't%20have%20a%20detailed%20guide%20on%20the%20topic%2C%20though%20it%20is%20a%20worthwhile%20topic%20to%20add%20to%20our%20list.%20As%20to%20the%20solution%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUsing%20CEF%20does%20imply%20normalied%20data%2C%20but%20therefore%20modified.%20This%20has%20both%20advantages%20and%20disadvantages.%3C%2FLI%3E%0A%3CLI%3EThe%20alternative%20would%20be%20to%20stream%20Syslog%20from%20the%20forwardersd%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.splunk.com%2FDocumentation%2FSplunk%2F8.0.3%2FForwarding%2FForwarddatatothird-partysystemsd%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E).%3C%2FLI%3E%0A%3CLI%3EI%20am%20not%20aware%20of%20a%20method%20to%20stream%20from%20the%20indexsers%20sans%20writing%20a%20script%20that%20uses%20the%20Splunk%20API.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365919%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365919%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20prompt%20and%20helpful%20reply%20Ofer%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E-%20Col.%20S%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454483%22%20slang%3D%22fr-FR%22%3ERe%3A%20Splunk%20logs%20on%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454483%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646246%22%20target%3D%22_blank%22%3E%40AutomationMan%3C%2FA%3E%20i%20just%20finalized%20an%20integration%20to%20be%20able%20to%20export%20any%20data%20from%20splunk%20index%20to%20sentinel.%20I%20will%20share%20it%20as%20soon%20as%20possible.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Anurag65
New Contributor

‎Jan 22 2020 12:18 AM

‎Jan 22 2020 12:18 AM

Splunk logs on Azure Sentinel

Team please confirm whether Splunk logs can be send on Azure Sentinel if yes how and where we can see the logs.

2,305 Views
0 Likes
8 Replies
Reply
8 Replies
Clive Watson

‎Jan 22 2020 02:27 AM

‎Jan 22 2020 02:27 AM

Re: Splunk logs on Azure Sentinel

@Anurag65 

 

Most customers, send the data (in my experience) from the source to one or both SIEM tools, rather than SIEM to SIEM - for which both have APIs you can use.

0 Likes
Reply
best response confirmed by Anurag65 (New Contributor)
Ofer_Shezaf

‎Jan 26 2020 11:40 AM

‎Jan 26 2020 11:40 AM

Solution

Re: Splunk logs on Azure Sentinel

@Anurag65 , @Clive Watson : we do see customers who prefer to reuse their existing collection infrastructure and hence send logs from a current SIEM to Sentinel. Splunk specifically supports forwarding events in CEF using the Splunk CEF app. You can also forward directly from a forwarder using Syslog.

0 Likes
Reply
David Caddick

‎Feb 07 2020 10:15 PM

‎Feb 07 2020 10:15 PM

Re: Splunk logs on Azure Sentinel

@Ofer_Shezaf I'm more interested in seeing it go the other way, how can I send the Sentinel Alerts to Splunk?

0 Likes
Reply
Ofer_Shezaf

‎Feb 09 2020 12:22 AM

‎Feb 09 2020 12:22 AM

Re: Splunk logs on Azure Sentinel

@David Caddick: Either use the Graph Security API or A logic App playbook. The former is more straight forward, but the letter allows more control. For example you will be able to get the back events with the alert.

1 Like
Reply
AutomationMan

‎May 03 2020 10:46 PM

‎May 03 2020 10:46 PM

Re: Splunk logs on Azure Sentinel

@Ofer_Shezaf 
Hi there. I am working my way thru the Sentinel Ninja training in preparation for being involved in a Sentinel PoC where the client wants to use their existing SPLUNK data collection as the source for Sentinel rather than establish new collector agents or even to forward from their existing collector agents.

Can you point me to any detailed explanation of the steps involved at both ends (Splunk & Azure) to get the data transfer established, so as to best showcase the strengths of Sentinel? 

Most frequently the discussions are about getting data from Azure INTO Splunk not the other way round.

Is there any way for Sentinel to access the collected raw data direct from Splunk as it seems that the CEF connector will present a filtered view of the events ... or am I missing the point?

 

Having read thru the following: 

https://docs.microsoft.com/bs-latn-ba/azure/sentinel/connect-common-event-format

and

https://docs.splunk.com/Documentation/CEFapp/2.3.0/DeployCEFapp/AboutSplunkAppforCEF

It would be great to see a worked use case of this Sentinel enrichment implementation.

0 Likes
Reply
Ofer_Shezaf

‎May 03 2020 11:53 PM

‎May 03 2020 11:53 PM

Re: Splunk logs on Azure Sentinel

@AutomationMan : I don't have a detailed guide on the topic, though it is a worthwhile topic to add to our list. As to the solution:

  • Using CEF does imply normalied data, but therefore modified. This has both advantages and disadvantages.
  • The alternative would be to stream Syslog from the forwardersd (here).
  • I am not aware of a method to stream from the indexsers sans writing a script that uses the Splunk API. 

~ Ofer

1 Like
Reply
AutomationMan

‎May 06 2020 07:48 PM

‎May 06 2020 07:48 PM

Re: Splunk logs on Azure Sentinel

Thanks for the prompt and helpful reply Ofer :)
- Col. S
0 Likes
Reply
yokhaldi

‎Jun 10 2020 10:59 AM

‎Jun 10 2020 10:59 AM

Re: Splunk logs on Azure Sentinel

@AutomationMan i just finalised an integration to be able to export any data from splunk index to sentinel. I will share it as soon possible. 

2 Likes
Reply