Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel.
You plan to integrate Microsoft Sentinel with Splunk.
You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.
What should you include in the recommendation?
To send security events from Microsoft Sentinel to Splunk, the recommended solution is to use Azure Event Hubs. Azure Event Hubs is a fully managed real-time data ingestion service that is capable of accepting and processing millions of events per second. By using Event Hubs, you can efficiently stream security events and logs from Microsoft Sentinel to Splunk, ensuring that the data is reliably transmitted for analysis and monitoring in Splunk. This method is specifically designed for such integrations, supporting high-volume data throughput and offering strong inter-operability between Microsoft and third-party systems like Splunk.
if data need to go to splunk then event hub. https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html
agree as i donot see any Splunk data connector in Sentinel and also no Azure Http PI connector in Sentinel
Event Hub is the answer: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029
catch is this requires a playbook(workflow automation using Logic App) to send from Sentinel to Event Hub First...MS should have given the clarity in the options
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029
B. Data connectors are for receiving data not to send data
Thats the point .Read the Question "...send security events FROM Microsoft Sentinel TO Splunk." So it cant be an data connector
To send security events from Microsoft Sentinel to Splunk, you should use a Microsoft Sentinel data connector. Data connectors in Microsoft Sentinel are used to export security events and logs to external systems, and Splunk is a supported destination for these connectors. So, the correct recommendation is: A. a Microsoft Sentinel data connector
The recommended solution to send security events from Microsoft Sentinel to Splunk is to use a Microsoft Sentinel data connector. This is because Microsoft Sentinel data connectors are designed to send security events to external systems, such as Splunk, in real-time. By using a data connector, you can easily configure the integration and define which events to send to Splunk based on your organization's needs. Azure Event Hubs is not the best option for this scenario because it is used to stream large amounts of data to other services and may not provide the required security and filtering capabilities for security events. A Microsoft Sentinel workbook is not designed for sending data to external systems, but rather for visualizing and analyzing data within the Microsoft Sentinel environment. Azure Data Factory is a data integration service that allows you to create data pipelines and move data between different systems, but it is not designed for sending security events from Microsoft Sentinel to Splunk.
Azure Event Hub is the correct answer. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029
I must say that I do think it's strange and unusual for a Microsoft exam to have a scenario where data is going from their own product to a third party's. It's to my experience always the other way. Therefor I suspect that it could be a typo saying "from Sentinel to Splunk". It's more likely to be "to Sentinel from Splunk". I.e. Sentinel Data connectors If appearing on a test make sure to read carefully...
Rule of thumb - always go with most votes!!
hub de eventos do azure
Azure Event Hubs. "to send security events from Microsoft Sentinel to Splunk" https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html - Event Hubs can process data or telemetry produced from your Azure environment. They also provide us a scalable method to get your valuable Azure data into Splunk! https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029 - Another option would be to implement a Side-by-Side architecture with Azure Event Hub. Not a Microsoft Sentinel data connector - Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs 'from' Splunk platform using the Azure HTTP
Answer B Preparation : The following tasks describe the necessary preparation and configurations steps. Onboard Azure Sentinel Register an application in Azure AD Create an Azure Event Hub Namespace Prepare Azure Sentinel to forward Incidents to Event Hub Configure Splunk to consume Azure Sentinel Incidents from Azure Event Hub Using Azure Sentinel Incidents in Splunk
B. Events Hubs | Azure Event Hubs can be used to buffer and route events between Microsoft Sentinel and Splunk. This option provides scalability and reliability in handling high volumes of security events.
To send security events from Microsoft Sentinel to Splunk, you would typically use Azure Event Hubs as the messaging service that can integrate with both solutions. Azure Event Hubs can be used to collect and stream event data into various services, and it's suitable for integration with third-party SIEM solutions like Splunk. So, the correct answer to include in the recommendation would be: B. Azure Event Hubs.
my 2 cents: given the options to chose from - I would go for event hub. I would imagine the best solution in this case would be Microsoft Graph Security API Add-On for Splunk https://splunkbase.splunk.com/app/4564
Indeed B
B is the answer. https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029
https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-to-qradar-and-splunk
There is a distinction between data connectors for receiving ( <a href="https://reminiapk.org/">ai</a>) data and data connectors for sending data