Azure Sentinel Side by Side with QRadar

%3CLINGO-SUB%20id%3D%22lingo-sub-3516646%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Side%20by%20Side%20with%20QRadar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3516646%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3Equick%20question%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20the%20%22Event%20Filter%22%20on%20Qradar%20we%20add%3A%3C%2FP%3E%3CP%3EvendorInformation%2Fprovider%20eq%20'Azure%20Sentinel'%3C%2FP%3E%3CP%3Eto%20get%20Sentinel%20events%20but%20is%20it%20possible%20to%20include%20another%20azure%20instances%20such%20as%20Cloud%20App%2C%20Identity%2C%20etc%3F%3C%2FP%3E%3CP%3EI%20mean%2C%20like%3A%3C%2FP%3E%3CP%3Eprovider%20eq%20'Azure%20Sentinel%2C%20MCAS%2C%20IPS'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3516646%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDashboards%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Collection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntegration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Cloud%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Cloud%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Identity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3516897%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Side%20by%20Side%20with%20QRadar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3516897%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1426590%22%20target%3D%22_blank%22%3E%40Jesto001%3C%2FA%3E%26nbsp%3BA%20couple%20ways.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20query%20example...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecurityAlert%3CBR%20%2F%3E%7C%20where%20ProductName%20%3D%3D%20%22Microsoft%20Cloud%20App%20Security%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20a%20filter%20in%20the%20UI%20(example%20in%20Incidents)...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22prodname.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22prodname.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22prodname.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22prodname.png%22%20style%3D%22width%3A%20768px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F381011iB9F9C5C07FB803A5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22prodname.png%22%20alt%3D%22prodname.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3520179%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Side%20by%20Side%20with%20QRadar%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3520179%22%20slang%3D%22en-US%22%3Ealso%3CBR%20%2F%3E%3CBR%20%2F%3ESecurityAlert%3CBR%20%2F%3E%7C%20where%20ProductName%20in%20(%22Microsoft%20Cloud%20App%20Security%22%2C%22product%20A%22%2C%22product%20B%22)%3C%2FLINGO-BODY%3E
New Contributor

Hi,

quick question:

 

in the "Event Filter" on Qradar we add:

vendorInformation/provider eq 'Azure Sentinel'

to get Sentinel events but is it possible to include another azure instances such as Cloud App, Identity, etc?

I mean, like:

provider eq 'Azure Sentinel, MCAS, IPS'

 

thank you

2 Replies

@Jesto001 A couple ways.

 

As a query example...

 

SecurityAlert
| where ProductName == "Microsoft Cloud App Security"

 

Using a filter in the UI (example in Incidents)...

 

prodname.png

also

SecurityAlert
| where ProductName in ("Microsoft Cloud App Security","product A","product B")