Jan 22 2020 12:18 AM
Jan 26 2020 11:40 AMSolution
@Anurag65 , @CliveWatson : we do see customers who prefer to reuse their existing collection infrastructure and hence send logs from a current SIEM to Sentinel. Splunk specifically supports forwarding events in CEF using the Splunk CEF app. You can also forward directly from a forwarder using Syslog.
May 03 2020 10:46 PM
Hi there. I am working my way thru the Sentinel Ninja training in preparation for being involved in a Sentinel PoC where the client wants to use their existing SPLUNK data collection as the source for Sentinel rather than establish new collector agents or even to forward from their existing collector agents.
Can you point me to any detailed explanation of the steps involved at both ends (Splunk & Azure) to get the data transfer established, so as to best showcase the strengths of Sentinel?
Most frequently the discussions are about getting data from Azure INTO Splunk not the other way round.
Is there any way for Sentinel to access the collected raw data direct from Splunk as it seems that the CEF connector will present a filtered view of the events ... or am I missing the point?
Having read thru the following:
It would be great to see a worked use case of this Sentinel enrichment implementation.
May 03 2020 11:53 PM
@AutomationMan : I don't have a detailed guide on the topic, though it is a worthwhile topic to add to our list. As to the solution: