Mar 20 2020
09:32 AM
- last edited on
May 24 2021
02:36 PM
by
TechCommunityAP
Mar 20 2020
09:32 AM
- last edited on
May 24 2021
02:36 PM
by
TechCommunityAP
Hi all
We would like to integrate our AADIP system with QRadar platform, in order to forward alerts directly to the SIEM dashboard. To do this we would like to use the DSM connector available in the IBM Marketplace that is able to read events from Microsoft Event Hub.
Is there a way to forward alerts to Microsoft Monitor ad Event Hub?
This is the Microsoft documentation related to QRadar Event Hub integration https://developer.microsoft.com/en-us/graph/graph/docs/concepts/security-qradar-siemintegration
Thanks everybody for the answer
Carlo
May 20 2020 04:21 PM
AADIP is now accessible via Microsoft Graph API (as of November 2019)
(Risky users API, Sign-ins API, Risk detections API),
Presumably you could use PowerAutomate (easy) or Azure Logic Apps (more programmatic) to be the intermediary connector between the Graph API and Azure Event Hub. I wasn't able to find a way to populate data from Microsoft Graph API directly into Azure Event Hub.
Jul 23 2020 12:55 PM
You might want to try the QRadar's integration with Graph API:
The benefit is QRadar will then receive events and alert from all your Microsoft security tooling, and through the single Graph API endpoint. If you're using more than AADIP this has to be a good thing .
The potential downside is it will be necessary to write the parsing rules in QRadar, as this is something IBM haven't provided yet.
I am setting this up in our environment and will let you know how we get on if you're interested.