Integration Elastic Security with Microsoft Sentinel available?

Elastic Security
1

Hello all,

I am looking for a way to import alerts and possibly more data from Sentinel into Elastic Security. I do not see an integration available for this. Is there someone who can confirm that this does not exist and / or someone who can say how this could be implemented?

Many thanks.

Jeroen

2

Hi @Jeronimodus,

I'm not familiar with Sentinel, what does the import data look like? Log file, api, etc? To answer your question, in general if an integration doesn't currently exists you usually can import the data you'll probably use logstash and then map it to the Elastic Common Schema.

3

If by Sentinel you mean Azure Sentinel, then there is no integration.

One alternative to collect logs from Azure Sentinel is using Logstash, you would need to configure your Sentinel to send the logs to an Event Hub then use the azure_event_hubs input in Logstash.

The log is basically a json, but all the alerts will be sent inside an array named records, so you will need a split filter in this field to have each alert as a document.

I use the following filters to parse the messages:

    json {
        source => "message"
    }
    split {
        field => "records"
    }

You can then rename the fields you want into equivalent ECS fields.

4

Hi @Jeronimodus Welcome to the community
cc @leandrojmp

Perhaps I am missing something I was just discussing this with another user today.

There is an OOTB integration with SentinelOne and Elastic Agent

The SentinelOne integration collects and parses data from SentinelOne REST APIs.

5

This is another tool, the question is about Microsoft Sentinel (formerly know as Azure Sentinel), the cloud SIEM/SOAR product from Microsoft.

SentinelOne is a different tool by a different company.

There is no Elastic Agent integration for Microsoft Sentinel yet.

6

Ahhhh thanks...

To make it more clear ... Uhh confusing to me

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-sentinelone?tab=overview

So you can buy SentinelOne through Azure marketplace as part of Microsoft Sentinel offering it looks like...

I do know SentinelOne is endpoint / XDR among other things because we see it with a number of our users.

:slight_smile:

7

Yeah, Microsoft Sentinel is a SIEM, you can send other logs to it and use its OOTB rules and intelligence to correlate things and get some alerts.

1 Like
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.