Home

Adding extra detail to security alert properties when exporting to Event Hub

%3CLINGO-SUB%20id%3D%22lingo-sub-915428%22%20slang%3D%22en-US%22%3EAdding%20extra%20detail%20to%20security%20alert%20properties%20when%20exporting%20to%20Event%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-915428%22%20slang%3D%22en-US%22%3E%3CDIV%3EHas%20anyone%20got%20any%20experience%20collecting%20and%20embellishing%20details%20for%20a%20security%20event%20being%20exported%20to%20a%20SIEM%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI'm%20working%20with%20an%20MDATP%20customer%20that%20was%20using%20IBM%20QRadar%20to%20pull%20alerts%20from%20MDATP.%20Their%20ideal%20solution%20though%20is%20to%20use%20the%20data%20export%20to%20Azure%20Event%20Hub%20functionality%20which%20recently%20become%20available%20in%20their%20instance%2C%20because%20they%20are%20already%20directing%20Azure%20ATP%20security%20alerts%20to%20an%20Event%20Hub%20so%20are%20aiming%20for%20a%20single%20source%20for%20QRadar%20to%20retrieve%20security%20events.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWe've%20got%20the%20Event%20Hub%20integration%20working%20fine%2C%20sending%20just%20alert%20events%20from%20the%20selection%20on%20offer.%20However%2C%20the%20customer%20has%20rightly%20pointed%20out%20that%20the%20amount%20of%20detail%20for%20each%20alert%20via%20Event%20Hub%20is%20far%20less%20than%20when%20the%20alerts%20are%20retrieved%20by%20the%20traditional%20pull%20method.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20know%20this%20is%20because%20the%20alert%20details%20via%20Event%20Hub%20are%20effectively%20taken%20from%20the%20Alert%20Events%20table%20under%20Advanced%20Hunting.%20Is%20there%20any%20way%20to%20enrich%20these%20alerts%20with%20the%20same%20level%20of%20detail%2Fproperties%20as%20the%20pull%20method%3F%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Highlighted
markwarnes
Occasional Contributor
Has anyone got any experience collecting and embellishing details for a security event being exported to a SIEM?
 
I'm working with an MDATP customer that was using IBM QRadar to pull alerts from MDATP. Their ideal solution though is to use the data export to Azure Event Hub functionality which recently become available in their instance, because they are already directing Azure ATP security alerts to an Event Hub so are aiming for a single source for QRadar to retrieve security events.
 
We've got the Event Hub integration working fine, sending just alert events from the selection on offer. However, the customer has rightly pointed out that the amount of detail for each alert via Event Hub is far less than when the alerts are retrieved by the traditional pull method.
 
I know this is because the alert details via Event Hub are effectively taken from the Alert Events table under Advanced Hunting. Is there any way to enrich these alerts with the same level of detail/properties as the pull method?
Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies