Azure Sentinel Side-by-Side with QRadar

Alp Babayigit · ‎Jul 08 2020

Special thanks to “Ofer Shezaf”, “Yaniv Shasha” and “Bindiya Priyadarshini” that collaborating with me on this blog post

As highlighted in my last blog post about Azure Sentinel’s Side-by-Side approach with Splunk, there are in fact reasons that enterprises are using Side-by-Side architecture to take advantage of Azure Sentinel. Side-by-Side is not only about having both SIEMs operating at the same time, but it also provides flexibility for migration of existing SIEM and SOAR use cases to Azure Sentinel.

This blog describes how Azure Sentinel can be used Side-by-Side with QRadar.

The following options are available to ingest Azure Sentinel alerts into QRadar:

Using the Microsoft Graph Security API
Using a Logic App flow that streams the alerts to Event Hub. You can read about using Logic Apps here.

This blog post is going to cover the integration with Microsoft Graph Security API.

QRadar can collect events from data sources by using a plug-in called Device Support Module (DSM). IBM provides a DSM to collect data from the Microsoft Graph Security API.

Let’s start the configuration!

Preparation & Use

The following tasks describe the necessary preparation and configurations steps.

Onboarding Azure Sentinel
Registration of an application in Azure AD
Preparation steps in QRadar
Configuration steps in QRadar
Using Azure Sentinel alerts in QRadar

Onboarding Azure Sentinel

Onboarding Azure Sentinel is not part of this blog post; however, required guidance can be found here.

Registering an Application in Azure AD

The steps required to register an app in Azure are described here. The registered app requires read access to the SecurityEvents.Read.All field in Microsoft Graph Security API.

For further configuration in QRadar, make a note of following settings:

The Azure AD Application ID
The Azure AD Application Secret
The Tenant ID

Preparation Steps in QRadar

Using the Microsoft Graph Security API DSM to collect alerts from Azure Sentinel requires the following RPMs to be installed on QRadar:

Protocol Common RPM
Microsoft Graph Security API Protocol RPM

Download the latest version of RPMs from http://www.ibm.com/support and run the following commands to install the RPMs.

yum -y install DSM-DSMCommon-7.3-20190708191548.noarch.rpm

yum -y install PROTOCOL-MicrosoftGraphSecurityAPI-7.3-20200501003005.noarch.rpm

Preparation Steps in QRadar

Now it is time to use the QRadar portal.

Log on to the “QRadar portal“and click on “Admin“tab

Open the “QRadar Log Source Management“ screen and click on the “+New Log Source” button

Select “Single Log Source”

Search for "Universal DSM", select it and click on “Step 2: Select Protocol Type”

Search for "Microsoft Graph Security API", select it and click on "Step 3: Configure Log Source Parameters”

Type a "Name" and a "Description", and configure "other parameters" , and click to "Step 4: Configure Protocol Parameters"

Add a "Log Source Identifier" and specify the parameters noted above when registering the Azure AD app (Azure AD Client ID, Azure AD Client Secret and Tenant ID).

If you want to filter only Azure Sentinel alerts from Microsoft Graph Security API, use the following filter in the parameter "Event Filter".

provider eq 'Azure Sentinel'

Click on “Step 5: Test Protocol Parameters” to continue with the wizard.

If you want to validate the configuration, click ”Start Test”, otherwise finish the configuration by clicking “Skip Test and Finish”.

Once the wizard is closed, the created "Log Source" is shown on the "Log Source Management" screen.

However, the configuration is not finished yet, it must be deployed in the "QRadar Admin portal". Click on "Deploy Change" to apply the configuration.

Using of Azure Sentinel alerts in QRadar

Once the alerts are ingested, you can query Azure Sentinel alerts in QRadar.

A sample RAW alert from Azure Sentinel collected from Microsoft Security Graph API looks as shown below.

{"eventDateTime": "2020-06-08T10:39:58.3572933Z", "category": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "azureSubscriptionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "description": "Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\nRDP connections are indicated by the EventID 4624 with LogonType = 10", "status": "newAlert", "severity": "medium", "title": "Rare RDP Connections", "hostStates": [{"netBiosName": "CLIENT", "fqdn": "CLIENT.DOMAIN.LOCAL"}], "vendorInformation": {"vendor": "Microsoft", "provider": "Azure Sentinel"}, "createdDateTime": "2020-06-22T10:45:00.0929766Z", "lastModifiedDateTime": "2020-06-22T10:45:00.1940637Z", "userStates": [{"userPrincipalName": "user", "emailRole": "unknown", "accountName": "account", "domainName": "domain"}], "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "azureTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}

Summary

We just walked through the process of standing up Azure Sentinel Side-by-Side with QRadar. Stay tuned for more Side-by-Side scenarios in our blog channel.

hstrang · ‎Sep 24 2020

How about the other way round, which would in the current cloud world and also from Microsoft perspective be even more interesting?

If there is for historical reasons a Qradar system collecting logs from various parts of the infrastructure, how would we get this information in usable form into Azure Sentinel? At least for our use case Sentinel is more sophisticated and modern system which is at the same time connected to so many more sources (and volumes) in the cloud world that can't be reasonably imported into Qradar. Qradar is not bad, but the Sentinel approach as whole would bring us more benefit.

Sorcia25 · ‎Oct 01 2020

Great tutorial @Alp Babayigit, thanks for your knowledge...

I followed all the steps, I have to need to recognize that I'm not an QRadar expert, but finally I get two installations of QRadar (one on a VM over Virtual Box, that I was deployed ussing the Ova of the QRadar Community Edition, and the other over Azure, IBM QRadar SIEM v7.3.3 (BYOL) just the console). And in both scenarios I get the same error at the time of running the test of the "New Log Source", the error is: Test failed to start in a timely manner. Please try again or contact support.

Someone could help me to remediate this issue?

Thanks in advance

Naturel_Dragon · ‎Oct 02 2020

Agree with @hstrang , what about feeding Sentinel with QRadar information?

Ian Moore · ‎Nov 12 2020

As previously mentioned, the ideal would be to transition away from QRadar, so simple forwarding from QRadar Event Processor to Sentinel would be of great use.

daniyal2021 · ‎Jan 27 2021

Hi,

We are trying to get azure sentinel logs into our on prem QRadar SIEM.

we follow to achieve it through Event Hub. but we have facing issue in how to forward Azure Sentinel Alert into Event Hub. For this we follow App logic and github code for this but the code is showing errors.

https://techcommunity.microsoft.com/t5/azure-sentinel/sending-enriched-azure-sentinel-alerts-to-3rd-...

https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SentinelAlertsEvidence/azuredeploy...

dmongebr · ‎May 21 2021

hi team

quick question:

in regards the filter mentioned here:

provider eq 'Azure Sentinel'

is it possible to include another azure instances such as Cloud App, Identity, etc?

I mean, like:

provider eq 'Azure Sentinel, MCAS, IPS'

get my idea?

Many thanks!

alancho · ‎Feb 28 2022

Now the filter that works is:

vendorInformation/provider eq 'Azure Sentinel'

mharitakis · ‎Apr 19 2022

Hello, is there any cost associated with Microsoft Graph Security API option?

gaudium91 · ‎Sep 29 2023

Very nice article, i have implement in this way and all works fine thank you

Guido

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Azure Sentinel Side-by-Side with QRadar