Log export to Microsoft Sentinel
launched
Nick Saunders
launched
Microsoft Sentinel integration for Data Export is now available. Release notes include additional details.
Steve Staden
Voters, we're about to make this available for testing as a beta if you're interested in trying out this capability and providing feedback. Please email [email protected] with Microsoft Sentinel Beta in the subject line. Note, you will need the data export add-on.
Nick Saunders
in progress ( live <90 days )
Thomas Sweet
I am curious about the "cost" for logging in Sentinel. We also has an audit finding related to logging but it was more open ended. I am curious about the Sentinel / Log Analytics costs of logging all this data.
Would this then allow integration with Defender? For example, if Defender says, "user clicked on malicious link" I can look to see if the user actually made the http request successfully or if it was blocked by one of my rules.
Steve Staden
Thomas Sweet: Good to hear from you! It looks like Sentinel does connect with Defender when I look here - https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel. Given your example, I believe that should be possible then to see the logs from both Defender and DNSFilter. I'm not sure if I answered your question completely, but happy to follow-up and discuss too ([email protected]). I can also discuss it with the team as they're testing out the integration.
Steve Staden
planned ( in queue )
Steve Staden
under review ( scoping )
Steve Staden
Merged in a post:
MS Sentinel (SIEM) Integration
Zeeshan
Due to compliance, we need logs from DNSFILTER to our existing SIEM solution, which is the MS Sentinel,
DNSFilter does not provide the integration for it.
So I was wondering if we could send the logs to the Syslog server and then route those logs toward sentinel.
Another option is to set up amazon S3 and connect the sentinel S3 connector.
There are some limitations we need to follow, i.e. just for this new product, the management will not add one more service, So we need to use our existing infrastructure.
This integration will play be a significant role for purchasing DNSFILTER LICENSE.
Any suggestion?
Steve Staden
Is using HEC (HTTP Event Collector) in Sentinel an option? We've had customers using other SIEMs be able to connect with our "Splunk" connector. https://help.dnsfilter.com/hc/en-us/articles/6266552356499-Data-Export. "We utilize Splunk's
HTTP Event Collector
API which uses a well-recognized protocol for transferring data. It is scalable, secure, token-based for convenience, and easy to maintain.The protocol is often implemented by SIEMs and data tools other than Splunk and may work out of the box with your preferred data tool as well."