Hi QRadar Community,
~This is an update to my earlier post: #BeyondTheDSMGuide: NEW Microsoft Cloud App Security Workflow ~
I’d like to shoutout my teammates Charlie Ma, Oleksandr Havlovych, Mike Richards, and Chris Collins for their contributions to this project as well as my counterpart at Microsoft, Dan Benjamin.
Anyway, just stopping by to let you all know that IBM Security has just posted a new workflow to Github (here) which allows users to ingest data from Microsoft Cloud App Security (MCAS) via the MCAS Rest API into QRadar and we have an early access DSM available for MCAS!!
This is the latest use of the IBM Universal Cloud Connector which was developed and released in 2020. The Universal Cloud Connector is designed to enable security teams to more easily ingest data from a wide range of REST API cloud-based applications and services for enhanced visibility. To address this new dynamic, the Universal Cloud Connector includes a new Universal Cloud REST API Protocol that enables you to create log sources for the acquisition of data from REST API compatible data sources that aren’t currently supported.
Instructions for using this workflow for ingesting MCAS data into QRadar are available on the GitHub.
I’m excited to share the following news!
We NOW have an early access MCAS DSM available. This DSM ingests the JSON formatted events brought into QRadar via the MCAS Workflow. These events are from both the activity and alert endpoints. The DSM includes coverage for the following normalized fields: (1) Username, (2) IP and (3) Event ID (all other fields should be captured as custom event properties). The QIDMap included identifies: (1) Unknown MCAS Events, (2) MCAS Alert Events and (3) MCAS Activity Events. For an invitation to the Early Access Program please email me: wendy.willner@ibm.com.
For any further parsing needs, please leverage the DSM Editor.
Are you going to give it a try? If so, let me know how it goes! Please feel free to reach out to me directly (wendy.willner@ibm.com).
Thanks,
Wendy Willner