Forum Discussion
Solved
How to send incident log data to another SIEM?
I need to ingest log from Microsoft product to Microsoft Sentinel. Then forward only incident log data to 3rd party SIEM.
How can I create automate for export only incident log data . and send that log to 3rd party SIEM.
- Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976
An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
example of the original Query that was used for each Alert to trigger
SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
- There are a few ways, often via an automation that runs when the Incidents fires - that Playbook will gather the data and then send to the other SIEM via email/api or whatever method the SIEM prefers. You may also connect to Sentinel and PULL the data, from the Sentinel api. As you don't mention the other SIEM we cant help you with specifics. Here is one example (for Splunk) of side by side running https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk/ba-p/1211266
- Dear Clive_Watson
Sorry I'm newbie. Sentinel can export only incident data, Right? How?
Thank you- Sorry but you will have to do some extra reading. Start with this article, which shows an Automation example which you maybe able to use or adapt. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/sending-enriched-microsoft-sentinel-alerts-to-3rd-party-siem-and/ba-p/1456976
An Incident / Alert contains just the data needed, that doesn't mean you can't gather and export more or enriched data, the original Query is contained in the SecurityAlert (and its that data that is normally used used), however you can run any query you like in the Automation and export that - see https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
example of the original Query that was used for each Alert to trigger
SecurityAlert
| extend Query_ = tostring(parse_json(ExtendedProperties).Query)
| project Query_
