Create a Splunk Rule

Use the following procedure to create a rule containing the splunk alert service:

Procedure

Step 1

Navigate to System and Accounts > Service Alerts > Alert Rules.

Step 2

Click Create.

Step 3

Profile Name - Enter unique name for the integration. Example mcd-mssentinel-alert-rule.

Step 4

Description (optional) - Enter a description for the alert rule.

Step 5

Alert Profile - Using the pulldown, choose the appropriate profile you previously created. As example, select profile created above mcd-splunk-rule.

Step 6

Type - Using the pulldown, select either System Logs or Discovery.

Step 7

Sub Type - For Type System Logs, the Sub Type pulldown options are either: Gateway or Account. For Type Discovery, the Sub Type pulldown optionis: Insights Rule.

Step 8

Severity - For selected Type System Logs, and using the pulldown, select a Severity level from options: Info Warning Medium High or Critical. For Type Discovery, select a Severity level from options: Info Medium Critical.

Step 9

Enabled - Using the checkbox, check to enable this alert profile.

Step 10

Click Save.