Hi,
Azure Event Hubs and Office 365 are individual integrations. You will need a Microsoft Azure DSM and an Azure Event Hub protocol to ingest the following events (Network Security Group (NSG) Flow logs, Network Security Group (NSG) Logs, Authorization, Classic Compute, Classic Storage, Compute, Insights, KeyVault, SQL, Storage, Automation, Cache, CDN, Devices, Event Hub, HDInsight, Recovery Services, AppService, Batch, Bing Maps, Certificate Registration, Cognitive Services, Container Service, Content Moderator, Data Catalog, Data Factory, Data Lake Analytics, Data Lake Store, Domain Registration, Dynamics LCS, Features, Logic, Media, Notification Hubs, Search, Servicebus, Support, Web, Scheduler, Resources, Resource Health, Operation Insights, Market Place Ordering, API Management, AD Hybrid Health Service, Server Management) into QRadar (https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_dsm_guide_microsoft_azure_enable_event_hubs.html?cp=SS42VS_7.3.1)
As for Office 365, we ingest data from the following content types (Azure Active Directory, Exchange, SharePoint, General, DLP, Service Communications), to which you will need Microsoft Office 365 DSM and Office 365 REST API Protocol and can get the following events if you have the subscriptions to those content types on the Office 365 side (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema). QRadar's configuration is here, (https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_microsoft_office_365_overview.html?cp=SS42VS_7.3.1)
Azure Event Hub is a gateway protocol. Which means, it depends on what services you have enabled in the Azure Portal. If you have Linux /PaloAlto / F5 Networks / CheckPoint data stored in your Azure Event Hub, QRadar would ingest that data and automatically create a log source using our Traffic Analysis engine to determine which event payload belongs to which DSM. If you create an Azure Event Hub log source, you can see that the protocol doesn't actually produce events, it's allowing events to come in and get autodetected as an existing log source, or if it's an event type that isn't recognized by QRadar, it will be unknown or stored to which you can create a uDSM using the DSM Editor to parse and normalize the events.
If you're looking for native Azure Active Directory events from the Azure Event Hub integration, this is currently in development and targeted for release by the end of the year.
For Microsoft Graph Security API, this is essentially similar but more refined to which Microsoft products are natively parsed. For Microsoft Graph Security, it can ingest data from Security Center, MCAS, Office 365 ATP, Insight, Azure ATP, WDATP, Azure Identity Protection, Azure Information Protection. With QRadar, we will need to create / update existing DSM to parse the events that would come from Microsoft Graph Security API. In the first release of Microsoft Graph Security API, we will be releasing a DSM for Security Center which is targeted for end of this year.
We will not be integrating Microsoft Graph Security API with Azure Event Hubs, and they are 2 Gateway protocols, to which we would support separately.
------------------------------
Sophia McCarthy
QRadar Offering Manager
IBM Security
------------------------------
Original Message:
Sent: Tue September 10, 2019 02:20 PM
From: T R
Subject: Azure Active Directory and Office 365 Logging
Hello,
I am working on configuring our Azure Active Directory and Office 365 logging in QRadar on-prem. I see that there are options to collect data via the Office 365 REST API through the Microsoft Office 365 log source type or via syslog (event hubs) through the Microsoft Azure log source type.
I initially tried the event hubs and was getting data but was having to manually parse every field and the event types.
I have since switched to the Office 365 REST API and more of the events/data are being parsed, but I am not getting as much detail on events.
Does anybody have experience collecting data from Azure Active Directory and Office 365? If so, which log source type(s) are you leveraging to collect the data?
Seems like the Office 365 REST API option is the best fit (includes Azure Active Directory, Exchange, SharePoint, General, DLP, Service Communications), but it doesn't seem to get as much detail as the event hub option.
Appreciate any experience others can share.
Thanks!
Tim
------------------------------
Tim
------------------------------