Hi,
I've been working on this same project w/ our MSP, Qradar Support, and our Microsoft PFE.
There's a new set of directions regarding all of the various "Azure/Office365/Microsoft365" DSM's for Qradar in the next few months.
Microsoft pulled their instructions recently.
FYI,
Troy
------------------------------
Troy Barnhart
------------------------------
Original Message:
Sent: Mon November 18, 2019 02:05 PM
From: Jamaludeen A
Subject: O365 - Azure AD / MFA and Security event logs
Hello,
we only set up the API to send O365 related logs, and not the Azure AD / MFA and Security event logs (like risky login, risky users and risky activities alerts).
what settings we need to configure to get the Azure AD, MFA, Intune, and security event logs from Microsoft Azure AD, into the QRoC, so we can detect the type of activity like risky login, risky users and risky activities alerts.
------------------------------
Jamaludeen A
Security analyst
------------------------------