Forum Discussion
Defender for Identity の TLS Syslog での SIEM (IBM QRadar) への連携(English follows)
お世話になっております。 Defender for Identity のログを TLS Syslog で SIEM (IBM QRadar on Cloud) へ連携を試みています。 QRoC側:https://www.ibm.com/docs/en/qradar-on-cloud?topic=overview-sending-tls-syslog-data-qradar-conso...
Thank you Eli,
okay, so I'd like to specify the IP of the sensors.
We can see the names of the sensors in the dashboard of the Defender for Identity console.
Where can we locate the IP of the sensors then?
okay, so I'd like to specify the IP of the sensors.
We can see the names of the sensors in the dashboard of the Defender for Identity console.
Where can we locate the IP of the sensors then?
EliOfek
Microsoft
MicrosoftThe portal will only show names.
If you go to the machine profile it should allow you to see the last IP we saw it using.
But it's not displayed on the sensors list easily.
If you go to the machine profile it should allow you to see the last IP we saw it using.
But it's not displayed on the sensors list easily.
- Thank you Eli,
I understand that we can locate the IPs of the sensors at "the machine profile".
But I supposed that these IPs are not static right?
For receiving Syslogs in QRadar, we need to configure a parameter called "Log Source ID" in QRadar.
The parameter of "Log Source ID" should be the strings which is at the head of the payload and is usually hostname/IP address and should be static.
QRadar identify the consumed logs as the specific LogSourceName registered in QRadar by verifying that the registered "Log Source ID", which is mapped to the LogSourceName, and the head of the payload is the same.