top of page

Create an Azure Sentinel Incident from Splunk

Updated: Oct 17, 2023

The modern SOC is leveraging many different tools, and has data stored in many different places. If you use Splunk and Azure Sentinel, and have been looking for ways to integrate these solutions, you've come to the right place.

With Dataflect you can search Azure sentinel incidents directly from Splunk, but you can also create incidents within Azure Sentinel based on logs that are ingested in Splunk. Below is a very basic example of how to do so.

Register an Application in Azure AD

  1. Navigate to the Azure portal.

  2. Go to Azure Active Directory > App registrations > New registration.

  3. Enter a name for the application, select the supported account types, and provide a Redirect URI (if necessary).

  4. After registration, note down the Application (client) ID.

Create a Client Secret

  1. Under your application registration, navigate to Certificates & secrets.

  2. Click New client secret, give it a description and an expiration period.

  3. Once created, copy the Value of the client secret (it won’t be visible again).

Assign Role to the Application

  1. Go to your Storage Account in the Azure portal.

  2. Under Access control (IAM), click Add > Add role assignment.

  3. Choose a role that provides read/write access to Azure Sentinel.

  4. In the Select field, type the name of the application you registered and select it.

  5. Click Save to assign the role to the application.

Add as an Allowed Domain in Dataflect

Create a credential in Dataflect with your App Registration details

Now you can create an Azure Sentinel Incident directly from Splunk!

In a future blog post we'll show you how to create a Dataflect custom alert action leveraging this capability in order to make it more actionable.

If you want to see what else you can do with Dataflect reach out to us at for a demo today.


Recent Posts

See All


bottom of page