Hello.
I am a new to QRadar. In my lab environment with QRadar 7.5 Community Edition I have two issues related to Log Sources from MS cloud, one related to the protocol MS Azure Event Hubs and the second one related to the protocol MS Graph Security API. I have described both these issues in this short video (6 min.): https://www.youtube.com/watch?v=CPwiUYtOwOw
Any help to get these issues solved is very appreciated!
A few details are here below.
--> ISSUE #1, with MS Azure Event Hubs <--
I have installed the latest DSM for Microsoft Active Directory and Microsoft Platform, as well as the latest protocol for Microsoft Event Hubs. All changes were successfully deployed. I then configured two log sources using the Microsoft Event Hubs protocol: one for retrieving MS Entra (Azure AD) events with the new Azure AD DSM, and one for retrieving MS Azure Activity Logs events with the new Azure Platform DSM. On the MS Azure side, I have configured everything to ensure that logs arrive from the respective sources (Entra and Azure Activity) to the related Event Hubs. On QRadar, I have correctly set up the connection strings to the MS Event Hubs (with a dedicated Consumer Group) and the MS Storage Accounts. I have checked, using a bash script, that my RHEL box hosting QRadar can successfully access the MS Storage Account using that exact connection string. On both QRadar Log Sources, the "Test configuration" feature returns success, but in the Log Source configuration, I get a warning: "ContainerNotFound (The specified container does not exist)." All the Azure related parameters in the Log Sources configuration are correct. The issue here is not only related to the warning message; the main problem is that, in Log Activity, I do not get any logs from those log sources.
--> ISSUE #2, with MS Graph Security API <--
I have created two log sources using the MS Graph Security API as the protocol: one for the Microsoft Defender for Cloud DSM and one for the Microsoft 365 Defender DSM. The "Test configuration" feature on both these Log Sources is completely successful (I also see retrieved events), but in Log Activity, I do not get any logs from these sources.
What am I doing wrong? How can I ensure that log events are retrieved from these four log sources and visible in Log Activity?
Thanks a lot!