IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Is a DSM available for Exchange Online Protection?

    Posted Fri June 03, 2022 02:53 PM

    Hello,

    we are running QRadar 7.4.1 fp1 in a multi-tenant environment.

    We are collectiong logs by Microsoft Event Hubs from one of our tenants, in this hub he is sending logs from his EOP (Exchange Online Protection) platform.

    I see that these logs are parsed as unknown both if I choose in DSM editor the Microsoft Defender DSM and the Micrsosoft Azure DSM.

    On FixCentral I have not found any specific DSM for these events so I want to know if I can avoid manually parsing oll these logs; does a DSM or also a content extension exists?

    Thanks

    Davide



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Is a DSM available for Exchange Online Protection?

    Posted Tue June 07, 2022 03:21 AM

    Hi,

    All the supported Microsoft DSMs are here.

    https://www.ibm.com/docs/en/dsm?topic=configuration-microsoft

    It seems EOP is not officially supported yet. You might want to create a custom log source type for EOP.

    Tips: You should consider upgrading to a latest version of QRadar since QRadar 7.4.1 is pretty old now. Latest is QRadar 7.5.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Is a DSM available for Exchange Online Protection?

    Posted Tue June 07, 2022 07:36 AM

    Thanks for your reply, we are waiting for the release of 7.5.0 UP2 to deploy the version upgrade.

    Is support for EOP planned in the near future or not? In this case we may consider to write our own DSM..

    BR

    Davide



    #QRadar
    #Support
    #SupportMigration