This would likely be a custom logic app. You can query the SecurityIncident or SecurityAlert table and filter by severity. That would be sent on to Splunk through an API or possibly an email. I am not aware of any current examples. The GitHub repo is a good place to start looking for examples. Maybe some of the SNOW playbooks. https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks
How can I forward only critical log from Microsoft Sentinel to Splunk

Nattawut Teerajarukul
196
Reputation points
I need to use Microsoft Sentinel for ingest log from Microsoft cloud product. and send log to Splunk only critical log.
Can I forward log, that filter only critical log, to Splunk?
How can I do it? Are there additional cost?
Please suggest me.
Thank you.
Accepted answer