graph api query sentinel CEF log

New Contributor

hi team,

1. i have CEF (Common Event Format) logs i collected in azure sentinel,

i want to query CEF logs from graph.microsoft.com or Graph Security API

 

2. how can we create alert on every CEF row in sentinel CommonSecurityLog

map 1:1 alert to CEF row

 

4 Replies

@haimmag To answer your questions

1) The Azure Security graph only allows queries of data in the security graph itself.   From what I have seen in the documentation, you cannot add a new Security alert, only update an existing one

 

2) Not quite sure what you are asking for here.  You can create an Analytic rule to create an alert when a new row is added to the CommonSecurityLog which is where a CEF feed would place the data.  You would use KQL to search CommonSecurityLog and filter to find only those rows you care about:

 

CommonSecurityLog

| where <filter term>

@Gary Bushey 

 

thanks for your answer

 

alerts created by analytics can be query in https://graph.microsoft.com/v1.0/security/alerts  ?

 

where can i find samples on analytics rules to create alert per row ?

 

analytics rules run on schedule times it not triggered per row insert, when creating alert how can iterate each row?

 

@haimmag While you cannot guarantee that each new row will generate its own Alert at this time, that functionality should be available very soon (Disclaimer: I don't work for MS so I am just going off of rumors)

@haimmag 

 

1. As @Gary Bushey writes: you cannot retrieve workspace data using the Graph Security API. For API access to the workspace data see the Log Analytics query API (more data on Sentinel APIs here).

 

2. We are going to release shortly a feature that will enable to generate and alert per rule result, addressing your "alert for every CEF event" requirement.

 

~ Ofer