How can I forward only critical log from Microsoft Sentinel to Splunk

Nattawut Teerajarukul 216 Reputation points
2022-02-02T11:15:14.767+00:00

I need to use Microsoft Sentinel for ingest log from Microsoft cloud product. and send log to Splunk only critical log.
Can I forward log, that filter only critical log, to Splunk?
How can I do it? Are there additional cost?

Please suggest me.
Thank you.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
959 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,476 Reputation points Microsoft Employee
    2022-02-02T13:58:35.007+00:00

    This would likely be a custom logic app. You can query the SecurityIncident or SecurityAlert table and filter by severity. That would be sent on to Splunk through an API or possibly an email. I am not aware of any current examples. The GitHub repo is a good place to start looking for examples. Maybe some of the SNOW playbooks. https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks


0 additional answers

Sort by: Most helpful