​Hi All,

After successful integration with Microsoft azure , Now we are moving towards the next step where we need to create use cases (rules) to monitor the events we are receiving and generate offenses.
Currently we are receiving below types of logs in Qradar from azure event hub.

Log type

Azure AD logs:

Application Gateway:

Firewall logs

Performance logs:

Access logs:

Azure Monitor – Activity Logs

1) Administrative

2) ResourceHealth

3) ServiceHealth

4) Alert

5) Auto scale

6) Security

7) Policy

8) Recommendation

 

I need your inputs/suggestions for rule creation.

Regards
Asif Siddiqui

------------------------------
asif siddiqui
------------------------------

Hi @asif siddiqui,

 

I would recommend to first check out content packs on QRadar App exchange. The content pack has rules for you for Azure.

 

https://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd

​

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Thu February 20, 2020 01:56 AM
From: asif siddiqui
Subject: Rules (use cases ) for azure log monitoring

​Hi All,

After successful integration with Microsoft azure , Now we are moving towards the next step where we need to create use cases (rules) to monitor the events we are receiving and generate offenses.
Currently we are receiving below types of logs in Qradar from azure event hub.

Log type

Azure AD logs:

Application Gateway:

Firewall logs

Performance logs:

Access logs:

Azure Monitor – Activity Logs

1) Administrative

2) ResourceHealth

3) ServiceHealth

4) Alert

5) Auto scale

6) Security

7) Policy

8) Recommendation

 

I need your inputs/suggestions for rule creation.

Regards
Asif Siddiqui

------------------------------
asif siddiqui
------------------------------

Hi guys

I would also recommend the IBM QRadar Virtualized Environment Content Extension: https://exchange.xforce.ibmcloud.com/hub/extension/675d6f51a1c65c557331b916d18bbd03

This pack monitors abnormal behaviour on Azure, AWS, O365, VMWare, etc. It also includes a Pulse dashboard and reports.

The Azure pack is interesting to get Custom Properties, the second pack provides more advanced detection rules based on these properties.

Check out the screenshots :)

------------------------------
Gladys Koskas
------------------------------

Original Message:
Sent: Thu February 20, 2020 07:32 AM
From: Chinmay Kulkarni
Subject: Rules (use cases ) for azure log monitoring

Hi @asif siddiqui,

 

I would recommend to first check out content packs on QRadar App exchange. The content pack has rules for you for Azure.

 

https://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd

​

------------------------------
Chinmay Kulkarni

Original Message:
Sent: Thu February 20, 2020 01:56 AM
From: asif siddiqui
Subject: Rules (use cases ) for azure log monitoring

​Hi All,

After successful integration with Microsoft azure , Now we are moving towards the next step where we need to create use cases (rules) to monitor the events we are receiving and generate offenses.
Currently we are receiving below types of logs in Qradar from azure event hub.

Log type

Azure AD logs:

Application Gateway:

Firewall logs

Performance logs:

Access logs:

Azure Monitor – Activity Logs

1) Administrative

2) ResourceHealth

3) ServiceHealth

4) Alert

5) Auto scale

6) Security

7) Policy

8) Recommendation

 

I need your inputs/suggestions for rule creation.

Regards
Asif Siddiqui

------------------------------
asif siddiqui
------------------------------

Hi guys

I would also recommend the IBM QRadar Virtualized Environment Content Extension: https://exchange.xforce.ibmcloud.com/hub/extension/675d6f51a1c65c557331b916d18bbd03

This pack monitors abnormal behaviour on Azure, AWS, O365, VMWare, etc. It also contains a Pulse Dashboard and reports.

The Azure content pack is good to get Custom Properties, the second pack will provide more advanced detection rules based on these properties.

Check out the screenshots :)

------------------------------
Gladys Koskas
------------------------------

Original Message:
Sent: Thu February 20, 2020 01:56 AM
From: asif siddiqui
Subject: Rules (use cases ) for azure log monitoring

​Hi All,

After successful integration with Microsoft azure , Now we are moving towards the next step where we need to create use cases (rules) to monitor the events we are receiving and generate offenses.
Currently we are receiving below types of logs in Qradar from azure event hub.

Log type

Azure AD logs:

Application Gateway:

Firewall logs

Performance logs:

Access logs:

Azure Monitor – Activity Logs

1) Administrative

2) ResourceHealth

3) ServiceHealth

4) Alert

5) Auto scale

6) Security

7) Policy

8) Recommendation

 

I need your inputs/suggestions for rule creation.

Regards
Asif Siddiqui

------------------------------
asif siddiqui
------------------------------