IBM QRadar

Hello,

we want to monitor our customer Azure AD logins.

I see that we can add different Azure log sources; Azure AD uses Microsoft Azure Event Hub API to forward logs to Qradar, while Azure Security Center uses the Microsoft Graph Security API.

Could someone explain me how these two options differ?

Which one is the best option to monitor user signin activity and the use of federated applications?

Best Regards

Davide

Hi,

Azure AD and Azure Security Center are two different services provided by Microsoft for its end user to consume.

As far as difference is concerned, Security Center has a out-of-the-box integration with Microsoft Graph Security API. This API can be used to stream alerts from your entire tenant (and data from many other Microsoft Security products) into third-party SIEMs.

If you just want to monitor the sign-in activity, then the good choice would be to integrate your Azure AD using Event Hub by following the QRadar official DSM guide. Check this out https://www.ibm.com/docs/en/dsm?topic=microsoft-azure-active-directory

Hope it helps.

Hi,

thanks for your response.

Our customer has already access to Microsoft Graph Security API, so he is asking if we can retrieve signin events also from Security Center without configuring Event Hub..is it possible, event with some limitations?

Otherwise we will proceed to configure Event Hub and collect events from this one.

B Regards

Davide

This is a question that you should ask to your Azure support team whether you can or cannot get the login events from Azure Security Center (ASC). If you see the QRadar DSM for ASC, then it says Recorded event types Security alert. If you are seeing the login activity events and even after that you are not seeing that in QRadar, then you should consider getting that from Azure AD using Event Hub.

As I had suggested earlier, a good option is to get the sign-in events from Azure AD.