![]() ![]() Install the Azure Sentinel App for Splunk: can be found here.Get the Log Analytics workspace parameters: Workspace ID and Primary Key from here.Onboarding of Splunk instance (latest release), can be found here.The following tasks describe the necessary preparation and configurations steps. You need just to install it in your Splunk platform. To make this simple I have created an Add-on for you to use. Splunk Add-on Builder uses Python code to create your alert action, here is the code I used within the Add-on: You can use Alert actions to define third-party integrations (like Azure Sentinel) or add custom functionality. When you submit the data, an individual record is created in the repository for each record in the request payload.īased on Splunk Add-on Builder here, I created an add-on which trigger an action based on the alert in Splunk. You format your data to send to the HTTP Data Collector API as multiple records in JSON. You can use the HTTP Data Collector API to send log data to a Log Analytics workspace from any client that can call a REST API.Īll data in the Log Analytics workspace is stored as a record with a particular record type. In order to send data from Splunk to Azure Sentinel, my idea was to use the HTTP Data Collector API, more information can be found here. ![]() In order to implement this scenario, we can rely on different options but the one I was thinking about is to rely on data stored in Splunk index then create a scheduled custom alert to push this data to the Azure Sentinel API. Let’s assume that your security team wants to collect data from Splunk platform to use Azure Sentinel as their centralized SIEM. Searching in Splunk involves using the indexed data for the purpose of creating metrics, dashboards and alerts. When you add data to Splunk, the Splunk indexer processes it and stores it in a designated index (either, by default, in the main index or in the one that you identify). In this diagram, we show how Splunk data can be correlated into Azure Sentinel providing a consolidated SIEM view Why do we want to share this scenario? For some scenarios it makes sense to use data from 3rd Party SIEMs for correlation with available data sources in Azure Sentinel, also Sentinel can be used as single pane of glass to centralize all incidents (generated by different SIEM solutions) and finally you will probably have to deliver the side-by-side for a while until your security team will be more comfortable working within the new SIEM (Azure Sentinel). In this Blog post we want to focus more on how Azure Sentinel can consume security telemetry data directly from a 3 rd Party SIEM like Splunk. There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side. Avoid sending cloud telemetry downstream (send cloud data to on-premise SIEM).Continually maintained cloud and on-premises use cases enhanced with Microsoft TI (Threat Intelligence) and ML (Machine Learning).Today many enterprises consume more and more cloud services, there is a huge requirement for cloud-native SIEM, this is where Azure Sentinel comes in play and has following advantages: We have published several Blog posts on how Azure Sentinel can be used Side-by-Side with 3 rd Party SIEM tools, leveraging cloud-native SIEM and SOAR capabilities to forward enriched alerts. Thanks to Preeti Krishna and Alp Babayigit for the great help.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |