IBM QRadar

Hi All,

Could you please suggest which all azure products or resources that gives positive value based on security monitoring purpose needs to be integrated with QRadar?

Example : Defender, Entra ID etc..

Thanks

Hello,

The "positive value" could be subjective based on the users/organization that utilize QRadar. If I look at the question from consultant or newly on-boarded SOC team member, I ask is QRadar used for just security events or as a data-lake (central event collector). If it's used as a data-lake then you might want to ask other teams what they would find positive, e.g. Service/Help Desk, NetOps, SysOps.

Another thing I would ask, is this a new QRadar setup or has it been in the environment for a while? QRadar + Extensions from the App Exchange have a lot of great pre-defined rule sets, granted they will need tuned to fit your organization, it's definitely not turnkey (set it and forget) type of product.

Some examples:
Service/Help Desk - They might want an alert via email or ticketing integration that a user locked out their account.
SysOps/NetOps - Might like to know when there are known M365 issues. A rule parsing on Office 365 affected works is nice when Microsoft advertises a service is having issues on their end (SharePoint, Outlook, Teams etc.)
SecOps - Well, we like to know about Phishing, Unauthorized device additions, UBA (user behavior analytics), Geolocations of successful logins, etc...

So, ingesting all the log source types have lots of benefits, once that is setup you can stack on extensions/apps:
Use Case Manager - Great for identifying your MITRE coverage based on enabled Offense Rules, out-of-the-box/added from extension or in-house custom rules
Cloud Visibility - Helps with setting up the M365 log sources and has its own Azure Offense Overview
RFISI Extension - Nice rule set for spam, malware URLs, C2 detections

Like previously said, it's subjective on your environment and difficult to provide suggestions without some detailed information, if there are rules for technologies you don't use then no need to have them enabled and make sure you review rules to verify it's not a duplicate (happens sometime, 1 rule will be broad, and another more updated rule might have some granularity to it)

Hopefully this helps out a little bit or points you in a good direction to go.

-Jason

One list of data source types to start with is the list of data source types which (for alerts) are free to ingest in the Microsoft Sentinel SIEM:

https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers#free-data-sources

For how to integrate these into QRadar see the DSM/Log Source guide:  https://www.ibm.com/docs/en/dsm?topic=configuration-microsoft

------------------------------
Adam McDonald CISSP, CEH
------------------------------

I'm more of looking for if any of the below resources can be integrated with QRadar?

• Action group

• Activity log alert rule

• API Connection

• Application group

• Application security group

• Bastion

• Connection

• Disk

• Event Hubs Namespace

• Firewall

• Firewall Policy

• Host pool

• IP Group

• Key vault

• Local network gateway

• Log Analytics query pack

• Log Analytics workspace

• Log search alert rule

• Logic app

• Managed Identity

• NAT gateway

• Network Interface

• Network security group

• Network Watcher

• Private endpoint

• Public IP address

• Public IP Prefix

• Recovery Services vault

• Restore Point Collection

• Route table

• Snapshot

• Solution

• SQL database

• SQL server

• SQL virtual machine

• Storage account

• Translator

• Virtual machine

• Virtual network

• Virtual network gateway

• Workspace