Azure-Sentinel/Playbooks/IncidentUpdate -Get-Sentine...
Sarah Young 5a18f87b4e
Update readme.md
2021-06-24 15:29:00 +12:00
..
IncidentUpdate-GetSentinelAlertsEvidence.json Create IncidentUpdate-GetSentinelAlertsEvidence.json 2021-05-10 10:42:56 +02:00
readme.md Update readme.md 2021-06-24 15:29:00 +12:00

readme.md

IncidentUpdate -Get-SentinelAlertsEvidence

This playbook will run on a time schedule base (every hour) and it will check for any incident that was updated (in the last hour) in your Sentinel workspace by Sentinel Alerts.
It will then automatically attach the new alert evidence from the updated Azure Sentinel incident (from the last hour) and send the evidence to an Event Hub that can be consumed by a 3rd party SIEM solution.

Author: Naomi Christis and Yaniv Shasha

Deploy the solution

  1. Create an Event Hub using the article "Create an event hub using Azure portal"
    https://docs.microsoft.com/azure/event-hubs/event-hubs-create or use an existing Event Hub.

  2. Deploy the playbook to your environment

  3. Once the playbook is deployed; modify the required connection to Azure Monitor Logs
    (This means configuring the connection to your workspace so we can query for the updated Azure Sentinel incidents).

  4. Next, configure the connection to your event hub (in the "send event" actions; use your Event Hub from step 1.)