Hello all,

does anyone have some tips/tricks/guides for parsing the Microsoft defender for cloud logs in Qradar? Info such what is important to parse, what not etc.
Thank you.

Regards

------------------------------
Tomas Tyser
------------------------------

Hi,

For defender cloud I use "QRadar Microsoft 365 Defender DSM and depending on the event type, I make some custom properties. For example:

Event Name: Process Created
category
DeviceName
FileName
FolderPath
ProcessCommandLine
Hash

Event Name : Interactive Logon Success
LogonType
Protocol
AccountDisplayName
AccountUpn
AccountName
AccountDomain
TargetComputerOperatingSystem

And so on...

https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender

------------------------------
Carlos Medina
------------------------------

Original Message:
Sent: Mon October 24, 2022 07:18 AM
From: Tomas Tyser
Subject: Parsing logs from Microsoft defender for cloud

Hello all,

does anyone have some tips/tricks/guides for parsing the Microsoft defender for cloud logs in Qradar? Info such what is important to parse, what not etc.
Thank you.

Regards

------------------------------
Tomas Tyser
------------------------------

Hello Carlos, thank you for the reply. I did try that first, but I could not find the type of events under M 365 D I get from the Cloud :/

------------------------------
Tomas Tyser
------------------------------

Original Message:
Sent: Tue October 25, 2022 07:43 AM
From: Carlos Medina
Subject: Parsing logs from Microsoft defender for cloud

Hi,

For defender cloud I use "QRadar Microsoft 365 Defender DSM and depending on the event type, I make some custom properties. For example:

Event Name: Process Created
category
DeviceName
FileName
FolderPath
ProcessCommandLine
Hash

Event Name : Interactive Logon Success
LogonType
Protocol
AccountDisplayName
AccountUpn
AccountName
AccountDomain
TargetComputerOperatingSystem

And so on...

https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender

------------------------------
Carlos Medina

Original Message:
Sent: Mon October 24, 2022 07:18 AM
From: Tomas Tyser
Subject: Parsing logs from Microsoft defender for cloud

Hello all,

does anyone have some tips/tricks/guides for parsing the Microsoft defender for cloud logs in Qradar? Info such what is important to parse, what not etc.
Thank you.

Regards

------------------------------
Tomas Tyser
------------------------------

Hi Tomas,

I would recommend to use content pack which parses fields from payload:

take a look:

https://exchange.xforce.ibmcloud.com/hub/extension/c8e594fa5d744dcb23859a8fb060bc9d

------------------------------
[Ashish] [Khandewale] [Security Consultant]
[SIOC]
[IBM Canada]
------------------------------

Original Message:
Sent: Wed October 26, 2022 09:12 AM
From: Tomas Tyser
Subject: Parsing logs from Microsoft defender for cloud

Hello Carlos, thank you for the reply. I did try that first, but I could not find the type of events under M 365 D I get from the Cloud :/

------------------------------
Tomas Tyser

Original Message:
Sent: Tue October 25, 2022 07:43 AM
From: Carlos Medina
Subject: Parsing logs from Microsoft defender for cloud

Hi,

For defender cloud I use "QRadar Microsoft 365 Defender DSM and depending on the event type, I make some custom properties. For example:

Event Name: Process Created
category
DeviceName
FileName
FolderPath
ProcessCommandLine
Hash

Event Name : Interactive Logon Success
LogonType
Protocol
AccountDisplayName
AccountUpn
AccountName
AccountDomain
TargetComputerOperatingSystem

And so on...

https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender

------------------------------
Carlos Medina

Original Message:
Sent: Mon October 24, 2022 07:18 AM
From: Tomas Tyser
Subject: Parsing logs from Microsoft defender for cloud

Hello all,

does anyone have some tips/tricks/guides for parsing the Microsoft defender for cloud logs in Qradar? Info such what is important to parse, what not etc.
Thank you.

Regards

------------------------------
Tomas Tyser
------------------------------