QRadar Pulse App, available IBM App Exchange, is a dashboard that provides insight into offenses, network data, threats, malicious behavior and cloud environments. The app offers a variety of options for viewing global activity using maps and a 3D threat globe; and features auto updating charts including bar charts, pie charts, tabular charts and more.
In this blog I’m going highlight how easy it is to create dashboards to visualize activity from your Microsoft Office 365 environment. I’ve created two dashboards using the QRadar Pulse App;
1. Microsoft Office 365 Overview Dashboard. This will give you an overview of Azure Active Directory, SharePoint, Exchange, Microsoft Teams, OneDrive, Power BI, Security & Compliance Center activity within your network.
2. Microsoft Office 365 User Activity Dashboard. This will give you visibility of failed logins of users within your organization, User Mailbox Activity, and Events Per User.
How can you do this?
Firstly, you start by ingesting data from Microsoft Office 365 by creating a Log Source to ingest data from the Office 365 platform. You can view these events in the Log Activity Tab in your QRadar deployment.
To see events that are associated to Office 365’s particular event type such as Azure Active Directory, SharePoint, Exchange, etc., you can Add a Filter in QRadar and extract that field from the payload of that event. You can then save this filter using the Save Criteria option in the menu tab in Log Activity in QRadar.
Using a Saved Search - AQL String
Once you’ve created your Saved Search, in QRadar 7.3.2, you can convert that saved search into an AQL string for any Saved Searches. In my case, I’ve created several Microsoft Office 365 searches for each event type:
You can copy that AQL string for your Saved Search and navigate to the QRadar Pulse App and add a dashboard to configure your search.
In the QRadar Pulse App, I’ve taken my AQL string and verified that it is a valid statement and I’m getting the results I want to see.
Next, you can create multiple views for different Chart Types to your liking. In this example below, I wanted to see the geographic location of where the Failed User Logins were occurring.
In this view, I want to see all activity that is associated to audit logging within my Office 365 Azure Active Directory platform.
As for this view, I want to see the see all the activity associated to my Microsoft Office 365 SharePoint logs.
To summarize, it’s incredibly easy to create dashboards for either internal or external reporting within your organization, monitoring network activity within your organization and overall visibility within your QRadar deployment.