Has anyone got any experience collecting and embellishing details for a security event being exported to a SIEM?
I'm working with an MDATP customer that was using IBM QRadar to pull alerts from MDATP. Their ideal solution though is to use the data export to Azure Event Hub functionality which recently become available in their instance, because they are already directing Azure ATP security alerts to an Event Hub so are aiming for a single source for QRadar to retrieve security events.
We've got the Event Hub integration working fine, sending just alert events from the selection on offer. However, the customer has rightly pointed out that the amount of detail for each alert via Event Hub is far less than when the alerts are retrieved by the traditional pull method.
I know this is because the alert details via Event Hub are effectively taken from the Alert Events table under Advanced Hunting. Is there any way to enrich these alerts with the same level of detail/properties as the pull method?