IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Office365 Logs: Unknown Azure Active Directory Event

    Posted Thu March 11, 2021 11:14 AM
    Hey guys,

    I added Office 365 Logs to my Qradar Instance by following these instructions: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_microsoft_office_365_overview.html

    Unfortunately some Azure Active Directory are not getting parsed (see example below). Qradar categorizes them as "Unknown Azure Active Directory Event".

    I am using the Office 365 REST API and the following DSM is installed:
    DSM-MicrosoftOffice365-7.4-20200828135157.noarch
    Qradar Version: 7.4.2

    The Log Source Configuration test ends successfully.

    Do you have any recommendations?


    Example Event:
    {"CreationTime":"2021-03-10T13:10:57","Id":"REDACTED","Operation":"UserLoggedIn","OrganizationId":"REDACTED","RecordType":15,"ResultStatus":"Success","UserKey":"REDACTED","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"REDACTED-IP","ObjectId":"REDACTED","UserId":"REDACTED@example.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Redirect"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.4167 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"REDACTED","Type":0},{"ID":"REDACTED@example.com","Type":5}],"ActorContextId":"REDACTED","ActorIpAddress":"REDACTED-IP","InterSystemsId":"REDACTED","IntraSystemId":"REDACTED","SupportTicketId":"","Target":[{"ID":"REDACTED","Type":0}],"TargetContextId":"REDACTED","ApplicationId":"REDACTED","ErrorNumber":"0"}
​


    Thank you!



    ------------------------------
    jan4401
    ------------------------------


  • 2.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Thu March 11, 2021 07:43 PM
    Hi Jan,

    there is also a Content Package for Azure available: https://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd
    In this article are some additional infos about it with another 30 CEP: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.extensions.doc/r_azure.html?cm_mc_uid=68116991514016152732843&cm_mc_sid_50200000=25565931615509005736


    Regards,
    Ralph

    ------------------------------
    Ralph Belfiore
    IT Security Senior Consulting
    pro4bizz GmbH
    Karlsruhe
    +49 721 90981720
    ------------------------------

    Original Message


  • 3.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Fri March 12, 2021 02:12 AM

    Hi Ralph,

    thanks for the answer.

    Unfortunately we already have installed the Azure Content Pack and the Content Extension for Office 365.

    Best Regards
    Jan




    ------------------------------
    jan4401
    ------------------------------

    Original Message


  • 4.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Fri March 12, 2021 09:18 AM
    Hi everyone,

    We are facing the same issues on our QRadar instance. It's affecting us mainly on detection rules because it's not taking User Successful logon. 
    It's not related to CEPs though, but more related to event categorization & mapping. 

    We informed support teams 6 weeks ago, but we are waiting for improvements.

    ------------------------------
    Guillaume BUFFIER
    ------------------------------

    Original Message


  • 5.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Mon March 15, 2021 10:07 AM
    Hi 
    Can you post your payload so we can have a look and potentially adjust parser and give you some instruction how to do this through DSM Editor  
     
    Kind Regards...  Slawek.
     
    Slawek Gawlowski
     
    Security Technical Specialist
    IBM Technology Sales, A/NZ
     
       
    Mobile: +61 434-609-881
    601 Pacific Highway, St Leonards, NSW 2065
     




    Original Message


  • 6.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Mon March 15, 2021 10:06 AM

    Jan, 

    You have two options:

    1. Open a case with IBM support and ask to modify DSM.

    Or

    2. Use DSM editor and create a parser, QID and mapping 

    If you have any question about how to use DSM editor, ping me on my email, and I can help you 
    (Slawek.gawlowski@ibm.com)



    ------------------------------
    Slawek GAWLOWSKI
    ------------------------------

    Original Message


  • 7.  RE: Office365 Logs: Unknown Azure Active Directory Event

    Posted Mon March 22, 2021 09:23 AM

    Hi Slawek,

    I opened a ticket.

    Thanks



    ------------------------------
    jan4401
    ------------------------------

    Original Message