Need Some Information on Azure Sentinel

CliveWatson dipenms 

To add to Clive's answers:

• Additional non-Syslog sources:
  • Pull collection, for example for files, database tables and REST APIs is available using Logic Apps - you schedule recurring automation that reads the source, and writes to the sentinel workspace. You can use the following resources:
    • Create and run recurring tasks and workflows with Azure Logic Apps
    • Logic Apps connector for writing data to Log Analytics
    • Custom API client connector for reading data
    • Read SQ Server data
    • Read a file
  • We support any Azure PaaS service that logs by pointing its diagnostics or activity log to the Sentinal workspace.
  • More and more vendors offer direct streaming to Azure Sentinel, those include Symantec, Barracuda, and F5.
• CEF from SIEMs: As Clive mentions, we can collect from any CEF source. Some specific instructions on sending CEF from SIEM tools:
  • Splunk - use the Splunk App for CEF.
  • ArcSight - use the ArcSight forwarding connector and select CEF Syslog as the destination.
• Multitenancy: Sentinel is inherently multi-tenant as the workspace for each tenant (i.e., an MSSP customer or a sub-organization) leaves in a different Azure Tenant or a separate Sentinel workspace. We are working on central management for those tenants.
•  Microsoft sources:
  • Azure Security Center: supported
  • Windows Defender ATP and Office ATP: the connectors are in the works.
  • Event hub: use Logic Apps as described above for pull sources. See specific documentation here.
• Response automation: see the Logic Apps connectors list. Note that you can easily create custom API connectors or get more flexibility using Azure functions connectors.

CliveWatson Any ETA on the ability to assign a playbook to an alert trigger? If unknown, are there any other ways to run a playbook when the alerts are triggered?

Thanks,

Adrian Grigorof