IBM Security QRadar

I was wondering if anyone could help please. I have a number of Windows VMs in Azure that are sending Windows Security Event Logs to an Event Hub. I have setup a log source in QRadar following an IBM tech doc: https://www.ibm.com/support/pages/qradar-how-collect-windows-events-microsoft%C2%AE-azure-event-hub-quick-start-guide and it is not working quite as described in the tech doc. However, the biggest problem I am having is that the events from the VMs in Azure are in JSON, and the DSM for the Windows Security Event logs does not parse them. Am I missing something? Is it possible to ingest Windows events from Azure VMs into QRadar? Any help/advice would be greatly appreciated.

Hi Viorel,

The Microsoft Windows Security Event Log DSM (DSM-MicrosoftWindows) should be able to parse the events just fine even if they are JSON. Please check this page for examples: https://www.ibm.com/docs/en/dsm?topic=mwsel-microsoft-windows-security-event-log-sample-event-messages Do your event match the sample event formatting?

If you open your events in your own DSM Editor, do they say Parsed NOT mapped, or simply not parsed?

Also, if you have a Log Source Extension (LSX) for this DSM enabled, it might be overriding the default parsing of JSON events - try disabling any overrides to rule this out.

Else, if your events are parsed but not mapped - or if you're stuck - you can just open a support case including Getlogs from the Console and the eventcollector for these events, an event export in Full details/XML and screen captures of the entire log source configuration, and support will investigate.

Best regards,

I was wondering if anyone could help please. I have a number of Windows VMs in Azure that are sending Windows Security Event Logs to an Event Hub. I have setup a log source in QRadar following an IBM tech doc: https://www.ibm.com/support/pages/qradar-how-collect-windows-events-microsoft%C2%AE-azure-event-hub-quick-start-guide and it is not working quite as described in the tech doc. However, the biggest problem I am having is that the events from the VMs in Azure are in JSON, and the DSM for the Windows Security Event logs does not parse them. Am I missing something? Is it possible to ingest Windows events from Azure VMs into QRadar? Any help/advice would be greatly appreciated.

I was wondering if anyone could help please. I have a number of Windows VMs in Azure that are sending Windows Security Event Logs to an Event Hub. I have setup a log source in QRadar following an IBM tech doc: https://www.ibm.com/support/pages/qradar-how-collect-windows-events-microsoft%C2%AE-azure-event-hub-quick-start-guide and it is not working quite as described in the tech doc. However, the biggest problem I am having is that the events from the VMs in Azure are in JSON, and the DSM for the Windows Security Event logs does not parse them. Am I missing something? Is it possible to ingest Windows events from Azure VMs into QRadar? Any help/advice would be greatly appreciated.

Hi Viorel

The key is what you use to collect events from VMs. The only way to have events parsed is to collect them with Diagnostic Extension, from what I saw. AMA  or Log Analytics agent are not working with default parser

I was wondering if anyone could help please. I have a number of Windows VMs in Azure that are sending Windows Security Event Logs to an Event Hub. I have setup a log source in QRadar following an IBM tech doc: https://www.ibm.com/support/pages/qradar-how-collect-windows-events-microsoft%C2%AE-azure-event-hub-quick-start-guide and it is not working quite as described in the tech doc. However, the biggest problem I am having is that the events from the VMs in Azure are in JSON, and the DSM for the Windows Security Event logs does not parse them. Am I missing something? Is it possible to ingest Windows events from Azure VMs into QRadar? Any help/advice would be greatly appreciated.