Forum Discussion
Defender for Identity の TLS Syslog での SIEM (IBM QRadar) への連携(English follows)
お世話になっております。 Defender for Identity のログを TLS Syslog で SIEM (IBM QRadar on Cloud) へ連携を試みています。 QRoC側:https://www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-conso...
Apologize for my late reply.
>You mentioned that you need to provide hostname or IP as source.
Yes, that's right.
Another question regarding the following notification.
https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
>When working with Syslog in TLS mode, make sure to install the required certificates on the designated sensor.
QRadat on Cloud team had created .p12 for the TSL communication in the QRoC, for the sensor to be able to send data to the QRoC.
Documentation from IBM to send TLS Syslog data to QRadar: https://www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-console
And they asked us to do the following.
>On the device that is sending syslog events to QRadar on Cloud, ensure that the CA (Let's Encrypt) is added to the truststore.
You might need to add the CA root certificate when you configure some third-party log sources. Download the certificate from the CA site at https://letsencrypt.org/certificates/.
I think "addding the CA (Let's Encrypt) to the truststore in the sensor" is what the MS guide is pointing to in the following notification.
>When working with Syslog in TLS mode, make sure to install the required certificates on the designated sensor.
https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
Do you think the same way?
>You mentioned that you need to provide hostname or IP as source.
Yes, that's right.
Another question regarding the following notification.
https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
>When working with Syslog in TLS mode, make sure to install the required certificates on the designated sensor.
QRadat on Cloud team had created .p12 for the TSL communication in the QRoC, for the sensor to be able to send data to the QRoC.
Documentation from IBM to send TLS Syslog data to QRadar: https://www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-console
And they asked us to do the following.
>On the device that is sending syslog events to QRadar on Cloud, ensure that the CA (Let's Encrypt) is added to the truststore.
You might need to add the CA root certificate when you configure some third-party log sources. Download the certificate from the CA site at https://letsencrypt.org/certificates/.
I think "addding the CA (Let's Encrypt) to the truststore in the sensor" is what the MS guide is pointing to in the following notification.
>When working with Syslog in TLS mode, make sure to install the required certificates on the designated sensor.
https://learn.microsoft.com/en-us/defender-for-identity/notifications#syslog-notifications
Do you think the same way?
