cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

3rd Party Alert Ingestion into Sentinel as SEIM

Cals_337
Copper Contributor

‎Jun 07 2023 11:42 PM - edited ‎Jun 13 2023 04:51 PM

‎Jun 07 2023 11:42 PM - edited ‎Jun 13 2023 04:51 PM

3rd Party Alert Ingestion into Sentinel as SEIM

Hi all,

 

Newbie here!

 

I am SOC analyst for a small business and we are looking at SIEM/SOAR solutions. We already utilize MS Sentinel as SIEM, and Crowdstrike as EDR. We will be rolling out other security products to cover areas such as phishing protection (phishme), IDAM (Tenable AD), etc. Additionally, clients are looking to bring in there own additional applications for us to monitor. I am looking into having alerts going into a single application, allowing analysts to have a single pane of glass to view, as opposed to having to constantly check into every single application.   

 

Does MS sentinel support this kind of functionality or would it be recommended to look at 3rd party applications, as a lot of these products will not be Microsoft based? 

 

Thanks,

 

Edit 1:

 

Thanks for responses. I have tried to simply my questions below:

  1. Can sentinel be used to ingest incidents from other EDR, IDAM & phishing mailboxes. E.g If we utilize cofense protect as phishing protection & Cortex XDR as EDR, can those alerts be ingested into MS Sentinel as an alert. The goal would be to have a single application we use to view incidents and alerts. 
Labels:
1,812 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Jun 08 2023 01:30 AM

‎Jun 08 2023 01:30 AM

Re: 3rd Party Alert Ingestion into Sentinel as SEIM

Microsoft Sentinel has an Incidents blade, this is a consolidated view of any Alert (regardless of application). Some products like Defender you can click thru from Sentinel to the Alert in question. However for many other products the Alert may contain a URL the Analyst can follow to see the details (if you need more insight than the info in the Alert itself).

You can link to a full ITSM tool like ServiceNow or JIRA if you need extra capability.

https://learn.microsoft.com/en-us/azure/sentinel/incident-investigation
0 Likes
Reply
SocInABox

‎Jun 09 2023 05:55 AM - edited ‎Jun 09 2023 05:58 AM

‎Jun 09 2023 05:55 AM - edited ‎Jun 09 2023 05:58 AM

Re: 3rd Party Alert Ingestion into Sentinel as SEIM

Hi Cals,

Your question is quite broad, I'd suggest your create a bullet point list of your requirements and then that list can be compared to features in Sentinel.
Some thoughts on your challenge:
- take a look at the supported device feeds. it's a long list and you'll probably be happy with this level of support for 90% of your log sources.
- for custom log sources:
- syslog - should be pretty easy to parse and product alert/incidents - you'll need to learn how to set up a syslog collector with the AMA agent for this, and you'll need to learn some KQL for the parsing- very short learning curve.
- apis - for api related log sources you'll need to use Azure functions or Logic Apps. This will be a bigger learning curve than syslog so be prepared to spend some time on this or hire a contractor to get it done faster.
-SOAR capabilities - if you need custom SOAR actions to process your incidents, again this will be Logic Apps. Although this is mostly a no-code solution there is a learning curve just like any SOAR tool.

0 Likes
Reply
Dean_Gross

‎Jun 09 2023 06:15 AM

‎Jun 09 2023 06:15 AM

Re: 3rd Party Alert Ingestion into Sentinel as SEIM

In general, yes it does. In addition to the list of connectors reference above, you should take a look at the Solutions in the Content Hub, there are almost 300 and the provide a wide variety of capabilities for working with data from dozens of different vendors, If you don't see a solution for a provider that you need, contact MSFT to see if it might be on the roadmap or you can create one yourself and sell that as an additional service to your clients
0 Likes
Reply