This playbook will run on a time schedule base (every hour) and it will check for any incident that was updated (in the last hour) in your Sentinel workspace by Sentinel Alerts.
It will then automatically attach the new alert evidence from the updated Azure Sentinel incident (from the last hour) and send the evidence to an Event Hub that can be consumed by a 3rd party SIEM solution.
Author: Naomi Christis and Yaniv Shasha
Deploy the solution
-
Create an Event Hub using the article "Create an event hub using Azure portal"
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create or use an existing Event Hub. -
Press the “deploy to azure” button:
-
Fill in the required parameters
(the number of event you want to export to Event Hub (default value is 10 last events ) and the playbook name) -
Once the playbook is deployed; modify the required connection to Azure Monitor Logs (This means configuring the connection to your workspace so we can query for the updated Azure Sentinel incidents).
-
Next, configure the connection to your event hub (in the "send event" actions; use your Event Hub from step 1.)