Sentinel incidents to IDR

Dear All,

Kindly share your inputs…

Trying to configure Third party alerts from Azure Sentinel through Eventhub.

I have created one eventsource to collect the logs/alerts from Azure eventhub. the connection between these devices is working and we are able to see the logs in IDR log search.

But, we are looking for the option where the investigation will be created in IDR (third party alert) when azure sentinel is have some incident/alerts.

Thanks,
Natraj. R

1 Like

Hi Natraj,

I am guessing this could be accomplished using the InsightIDR Investigations API:

https://docs.rapid7.com/insightidr/insightidr-rest-api/#investigations

If you choose to use Python and need the ability to easily retrieve relevant logs from logsearch, you can use this script to query the events:

I hope this helps! Sounds like a fun project - good luck.

Micah

Hi Natraj,

We currently do not enable native Sentinel alerts to come in as third party alerts in our product even if alert data is visible in log search. We do support Microsoft Security Center and Microsoft Defender ATP as third party alerts and we are actively working on a Microsoft Defender for Cloud integration which could provide visibility for alerts from this product in IDR investigations.

As Micah mentioned, you may be able to use the IDR Investigations API to trigger investigations based on Sentinel alerts. Before we talk about this further, could you provide an overview of how you are looking to respond to Sentinel alerts in IDR investigations? This will help us understand if this potential solution is a good path for us to take for now. More than happy to talk through via a call if that’s easier as well.

Thanks,
Anil