I manage an environment with a bunch of clusters, each running their own log collection server that uses the ELK stack.
Our security team would like me to start sending authentication/audit events to their SIEM which is running Sentinel.
Is it possible for our local logging Elasticsearch to send to Sentinel (or its Elasticsearch) rather than configuring agents on every instance of my clusters?
If so, I'd appreciate any references to docs or examples. I'm working my way through the configuration guide now.
I have limited experience with the ELK stack and none with Sentinel.
Thanks!
Edit: It looks like Logstash is the point in the stack to send to SIEM.