Ingesting Incidents from MS Sentinel

PickleRick · ‎06-06-2022

Anyone has any experience in ingesting Incidents from Microsoft Sentinel (formerly Azure Sentinel)?

I found info about the https://splunkbase.splunk.com/app/4564 add-on which works with Graph Security which is supposed to be a "middleware" of sorts between different kinds of security events but on the other hand I find that data pulled this way is very limited in terms of details. So I thought about callind Sentinel API directly. There is supposedly API we could use, it has PowerShell module, I'm not sure about decent "curlable" docs but I didn't look very hard for it. Yet. The question however is are we doomed to write something completely from scratch or is there anything ready that I could use?

Azeemering · ‎06-07-2022

I am in the same boat. I have the same requirement and am planning to write something from scratch using the API

PickleRick · ‎06-07-2022

The key problem here is that I have no Azure experience whatsoever and all those services' names mean completely nothing to me 🙂

But.

From what I read, it seems that you supposedly can configure the Sentinel to send notifications about incidents to Event Hub. And I think that you can pull events from the Event Hub - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs

So it might be easier than I thought. Unfortunately, I didn't have any hands-on experience with Sentinel yet.

Ingesting Incidents from MS Sentinel

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?