Forum Discussion

Copper Contributor

Aug 18, 2020

Solved

Writing rules for legacy server feeds

Hi, I'm new to Sentinel with my only real experience being the MS Sentinel Ninja training. I have a list of events from an existing SIEM that I need to replicate in Sentinel using data coming from...

Thijs Lecomte
Aug 24, 2020
Hi

For the schedules, I would do it another way
You could write a script which runs a query for you and then shoots an email.
That is probably the preferred way as you are looking for reporting, not alerting.

For emails, it's true Logic Apps is the only way. For something simple as email, I agree that it's a bit of a hassle to go through

Uploading TI's is also possible through API, which might be easier for a few quick tests

Thijs Lecomte

Bronze Contributor

Aug 24, 2020

Hi

For the schedules, I would do it another way
You could write a script which runs a query for you and then shoots an email.
That is probably the preferred way as you are looking for reporting, not alerting.

For emails, it's true Logic Apps is the only way. For something simple as email, I agree that it's a bit of a hassle to go through

Uploading TI's is also possible through API, which might be easier for a few quick tests

AutomationMan

Copper Contributor

Aug 25, 2020

Thijs Lecomte

Thank you for your input.
As I get more of an understanding of how the ecosystem fits together I am understanding more of what tables I need to query and what entities within those tables are/are-not populated from their sources.

We were asked to replicate what one SIEM (splunk) was being used for, in another SIEM (Sentinel) but now understanding that Logic Apps is actually the preferred (and in some case perhaps the only practical) way to achieve the email reporting function we were required to provide from Log Analytics, helped me clarify the definition of Sentinel as a SIEM (+SOAR) vs just being a glorified report generator which it is not really designed for!

It all starts to make more sense now 🙂

My new challenge is getting the LA Playbook query output parsed up and presented in a neat email format, but I seem to be winning with that too now 🙂

Thijs Lecomte
Bronze Contributor
Aug 25, 2020
Have fun on your journey 😉
Check out the this blog for more info btw:
https://secureinfra.blog/2020/08/04/azure-sentinel-sending-an-email-each-morning-with-the-list-of-daily-incidents-created/
- AutomationMan
  Copper Contributor
  Aug 25, 2020
  Thijs Lecomte Thanks for that! Its that sort of example stuff that's helpful to see how or better ways to do things when you are new to the language.
  Cheers