How to send incident log data to another SIEM?

New Contributor

I need to ingest log from Microsoft product to Microsoft Sentinel. Then forward only incident log data to 3rd party SIEM.

How can I create automate for export only incident log data . and send that log to 3rd party SIEM.

4 Replies
There are a few ways, often via an automation that runs when the Incidents fires - that Playbook will gather the data and then send to the other SIEM via email/api or whatever method the SIEM prefers. You may also connect to Sentinel and PULL the data, from the Sentinel api. As you don't mention the other SIEM we cant help you with specifics. Here is one example (for Splunk) of side by side running https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splu...
Dear Clive_Watson
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you
Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-a...

An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

example of the original Query that was used for each Alert to trigger

SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
Thank you
I will read and test it. If I have some question I will ask more.