cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to send incident log data to another SIEM?

SonkuB
New Contributor

‎Mar 06 2022 08:30 AM

‎Mar 06 2022 08:30 AM

How to send incident log data to another SIEM?

I need to ingest log from Microsoft product to Microsoft Sentinel. Then forward only incident log data to 3rd party SIEM.

How can I create automate for export only incident log data . and send that log to 3rd party SIEM.

Labels:
1,455 Views
1 Like
4 Replies
Reply
4 Replies
Clive_Watson

‎Mar 07 2022 12:12 AM

‎Mar 07 2022 12:12 AM

Re: How to send incident log data to another SIEM?

There are a few ways, often via an automation that runs when the Incidents fires - that Playbook will gather the data and then send to the other SIEM via email/api or whatever method the SIEM prefers. You may also connect to Sentinel and PULL the data, from the Sentinel api. As you don't mention the other SIEM we cant help you with specifics. Here is one example (for Splunk) of side by side running https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splu...
2 Likes
Reply
SonkuB

‎Mar 07 2022 12:31 AM

‎Mar 07 2022 12:31 AM

Re: How to send incident log data to another SIEM?

Dear Clive_Watson
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you
0 Likes
Reply
best response confirmed by c_pypaert (Microsoft)
Clive_Watson

‎Mar 07 2022 12:48 AM

‎Mar 07 2022 12:48 AM

Solution

Re: How to send incident log data to another SIEM?

Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-a...

An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

example of the original Query that was used for each Alert to trigger

SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
2 Likes
Reply
SonkuB

‎Mar 07 2022 12:53 AM

‎Mar 07 2022 12:53 AM

Re: How to send incident log data to another SIEM?

Thank you
I will read and test it. If I have some question I will ask more.
0 Likes
Reply