question

NatoshiSakamato-6804 avatar image
0 Votes"
NatoshiSakamato-6804 asked vipulsparsh-MSFT commented

Custom Logs in Sentinel not triggering incidents or showing up in Threat Mangament

I have successfully forwarded security logs from Splunk to Azure Sentinel based on this tutorial from Microsoft devs.

While I'm able to view the logs from the Custom Logs table created for the forwarded alerts, it seems like they are not being treated like regular Azure alerts:

  • They are not being analyzed by Sentinel Fusion

  • They have not triggered any incidents

  • They do not show up in any Threat Management pages (e.g. Entity Behaviour, Hunting, etc.)

Is there any way to get Sentinel to treat Custom Logs like actual security alerts?
If so, how do we do the field mapping from our custom logs to the one expected by Azure?






microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@NatoshiSakamato-6804 Thanks for reaching out and apologies for the delay on this.

You should be able to generate the incidents on basis of whatever logs you have inflowing.
For that you need to create the Scheduled Query Rule (as default MS incident creation rule only check for MS related security products like Azure Defender, Cloud app security etc).

143228-image.png



Once you are into the process of creating it and have specified the query , on 3rd segment you have the option to generate Incidents on basis of this Scheduled query rule.




143260-image.png


Let me know if you have done this already and still having issue.






Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.



image.png (64.0 KiB)
image.png (73.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Thank you very much for your reply, however I think my question has been misunderstood. I would like the existing rules in Analytics tabs (including Fusion) to work on the logs that are forwarded from Splunk and stored in a Custom Logs table.

What you described only allows me to generate incidents based on my own custom queries, which is not what I asked.

0 Votes 0 ·

@NatoshiSakamato-6804 Apologies for delay on this. Unfortunately, the default analytic rules including Fusion will not work with the custom data logs. You will need to create a scheduled query log as I suggested in above answer. The default fusion rules have different connector requirements and are created for those only incoming logs.

Once you create the scheduled query rule, you will be able to see the incidents and fusion working for that query automatically.

0 Votes 0 ·