Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)?
I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Security which is supposed to be a "middleware" of sorts between different kinds of security events but on the other hand I find that data pulled this way is very limited in terms of details. So I thought about callind Sentinel API directly. There is supposedly API we could use, it has PowerShell module, I'm not sure about decent "curlable" docs but I didn't look very hard for it. Yet. The question however is are we doomed to write something completely from scratch or is there anything ready that I could use?
I am in the same boat. I have the same requirement and am planning to write something from scratch using the API
The key problem here is that I have no Azure experience whatsoever and all those services' names mean completely nothing to me 🙂
But.
From what I read, it seems that you supposedly can configure the Sentinel to send notifications about incidents to Event Hub. And I think that you can pull events from the Event Hub - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs
So it might be easier than I thought. Unfortunately, I didn't have any hands-on experience with Sentinel yet.