How to filter security events only from Event Hub and send to SIEM

%3CLINGO-SUB%20id%3D%22lingo-sub-1231699%22%20slang%3D%22en-US%22%3EHow%20to%20filter%20security%20events%20only%20from%20Event%20Hub%20and%20send%20to%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231699%22%20slang%3D%22en-US%22%3E%3CP%3EOne%20of%20my%20customer%20is%20trying%20to%20integrate%20IBM%20QRADAR%20SIEM%20with%20Azure.%20They%20would%20like%20to%20send%20all%20data%20from%20various%20sources%20to%20Event%20Hub%20and%20the%20data%20would%20be%20related%20to%20Azure%20AD%2C%20Azure%20VMs%2C%20Key%20Vault%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20my%20customer%20only%20wants%20to%20send%20Security%20related%20data%20from%20Event%20Hubs%20and%20discard%20all%20the%20other%20data%20and%20then%20send%20only%20the%20security%20related%20data%20to%20IBM%20QRADAR.%20What%20is%20the%20method%20to%20filter%20this%20data%20from%20Event%20Hub%20so%20that%20the%20SIEM%20solution%20doesn't%20get%20too%20much%20data%20which%20are%20not%20security%20related%20and%20choke%20the%20system.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389916%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20filter%20security%20events%20only%20from%20Event%20Hub%20and%20send%20to%20SIEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389916%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F260641%22%20target%3D%22_blank%22%3E%40palchak%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EYour%20customer%20can%20use%20Microsoft%20Graph%20connector%20for%20QRadar%20to%20send%20Azure%20Security%20Center%20data%20easier%20to%20QRadar.%20Please%20read%20more%20details%20here%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Faccessing-azure-security-center-alerts-in-splunk-using-graph%2Fba-p%2F938228%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Faccessing-azure-security-center-alerts-in-splunk-using-graph%2Fba-p%2F938228%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETal%20Rosler%2C%3C%2FP%3E%0A%3CP%3EAzure%20Security%20Center.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

One of my customer is trying to integrate IBM QRADAR SIEM with Azure. They would like to send all data from various sources to Event Hub and the data would be related to Azure AD, Azure VMs, Key Vault etc. 

But my customer only wants to send Security related data from Event Hubs and discard all the other data and then send only the security related data to IBM QRADAR. What is the method to filter this data from Event Hub so that the SIEM solution doesn't get too much data which are not security related and choke the system.

1 Reply

Hi @palchak ,

Your customer can use Microsoft Graph connector for QRadar to send Azure Security Center data easier to QRadar. Please read more details here: 

https://techcommunity.microsoft.com/t5/azure-security-center/accessing-azure-security-center-alerts-...

 

Thanks,

Tal Rosler,

Azure Security Center.