IBM Security QRadar

 View Only
Expand all | Collapse all

Azure identity protection events to QRADAR

  • 1.  Azure identity protection events to QRADAR

    Posted Wed February 24, 2021 11:23 PM
    Hi all 

    I am currently using Azure security events DSM to parse the logs through microsoft graph API. Unfortunately as per IBM documentation it states only logs sent by provider : Azure security center would be parsed out successfully. 

    I am looking to parse identity protection logs sent from Azure. Did anyone perform the custom parsing for the event categories 

    Also, i do not have list of all categories to map it to a title (QID) 

    For example: see highlighted

    "azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":null,"category":"UnfamiliarLocation","closedDateTime":null,"comments":[],"confidence":null,"createdDateTime":"2021-02-22T11:05:08.0304112Z","description":"Sign-in with properties we've not seen recently for the given user","detectionIds":[],"eventDateTime":"2021-02-22T11:05:08.0304112Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2021-02-22T11:07:21.7570425Z","recommendedActions":[],"severity":"medium","sourceMaterials":[],"status":"newAlert","title":"Unfamiliar sign-in properties","vendorInformation":{"provider":"IPC","providerVersion":null,"sub

    ------------------------------
    Vijay Reddy
    ------------------------------


  • 2.  RE: Azure identity protection events to QRADAR

    Posted Thu February 25, 2021 10:24 AM
    Hi - We are also bring in more logs via security graph than security center and are working on parsing. I'll check in on where we are at and update.

    Thanks,

    Ian