IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Azure identity protection events to QRADAR

    Posted Wed February 24, 2021 11:23 PM
    Hi all 

    I am currently using Azure security events DSM to parse the logs through microsoft graph API. Unfortunately as per IBM documentation it states only logs sent by provider : Azure security center would be parsed out successfully. 

    I am looking to parse identity protection logs sent from Azure. Did anyone perform the custom parsing for the event categories 

    Also, i do not have list of all categories to map it to a title (QID) 

    For example: see highlighted

    "azureSubscriptionId":null,"riskScore":null,"tags":[],"activityGroupName":null,"assignedTo":null,"category":"UnfamiliarLocation","closedDateTime":null,"comments":[],"confidence":null,"createdDateTime":"2021-02-22T11:05:08.0304112Z","description":"Sign-in with properties we've not seen recently for the given user","detectionIds":[],"eventDateTime":"2021-02-22T11:05:08.0304112Z","feedback":null,"incidentIds":[],"lastEventDateTime":null,"lastModifiedDateTime":"2021-02-22T11:07:21.7570425Z","recommendedActions":[],"severity":"medium","sourceMaterials":[],"status":"newAlert","title":"Unfamiliar sign-in properties","vendorInformation":{"provider":"IPC","providerVersion":null,"sub

    ------------------------------
    Vijay Reddy
    ------------------------------


  • 2.  RE: Azure identity protection events to QRADAR

    Posted Thu February 25, 2021 10:24 AM
    Hi - We are also bring in more logs via security graph than security center and are working on parsing. I'll check in on where we are at and update.

    Thanks,

    Ian



    Original Message