Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Playbooks/Get-SentinelAlertsEvidence
История
Yaniv Shasha c9b4a3cc10 Update readme.md 2020-06-11 19:36:52 +03:00
..
azuredeploy.json commit 2 changes 2020-06-11 18:40:42 +03:00
readme.md Update readme.md 2020-06-11 19:36:52 +03:00

readme.md

Get-SentinelAlertsEvidence

This playbook will Logic will automatically attach alert evidence from Azure Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEM solution.

Author: Yaniv Shasha

Deploy the solution

  1. Create an Event Hub using the article "Create an event hub using Azure portal"
    https://docs.microsoft.com/azure/event-hubs/event-hubs-create or use an existing Event Hub.
  2. Go to the Playbook GitHub page.
  3. Press the "deploy to azure" button.
  4. Fill the above information:
  • Azure Sentinel Workspace Name
  • Azure Sentinel Workspace resource group name
  • Number of events to pulls from Azure Sentinel (default value is 10 latest events )
  1. Once the playbook is deployed, Modify the “Run query and list results” actions and point it to your Azure sentinel workspace.
  2. Next, configure the "send event" actions to use your Event Hub that created earlier.