Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to send incident log data to another SIEM?

Copper Contributor

I need to ingest log from Microsoft product to Microsoft Sentinel. Then forward only incident log data to 3rd party SIEM.

How can I create automate for export only incident log data . and send that log to 3rd party SIEM.

4 Replies
There are a few ways, often via an automation that runs when the Incidents fires - that Playbook will gather the data and then send to the other SIEM via email/api or whatever method the SIEM prefers. You may also connect to Sentinel and PULL the data, from the Sentinel api. As you don't mention the other SIEM we cant help you with specifics. Here is one example (for Splunk) of side by side running https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splu...
Dear Clive_Watson
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you
best response confirmed by c_pypaert (Microsoft)
Solution
Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-a...

An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

example of the original Query that was used for each Alert to trigger

SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
Thank you
I will read and test it. If I have some question I will ask more.
1 best response

Accepted Solutions
best response confirmed by c_pypaert (Microsoft)
Solution
Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-a...

An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

example of the original Query that was used for each Alert to trigger

SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_

View solution in original post