Azure Active Directory Identity Protection SIEM integration

%3CLINGO-SUB%20id%3D%22lingo-sub-1242103%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Identity%20Protection%20SIEM%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242103%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20integrate%20our%20AADIP%20system%20with%20QRadar%20platform%2C%20in%20order%20to%20forward%20alerts%20directly%20to%20the%20SIEM%20dashboard.%20To%20do%20this%20we%20would%20like%20to%20use%20the%20DSM%20connector%20available%20in%20the%20IBM%20Marketplace%20that%20is%20able%20to%20read%20events%20from%20Microsoft%20Event%20Hub.%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20forward%20alerts%20to%20Microsoft%20Monitor%20ad%20Event%20Hub%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20Microsoft%20documentation%20related%20to%20QRadar%20Event%20Hub%20integration%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph%2Fdocs%2Fconcepts%2Fsecurity-qradar-siemintegration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph%2Fdocs%2Fconcepts%2Fsecurity-qradar-siemintegration%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20everybody%20for%20the%20answer%3C%2FP%3E%3CP%3ECarlo%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1242103%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407049%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20SIEM%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588626%22%20target%3D%22_blank%22%3E%40carlochello%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAADIP%20is%26nbsp%3B%3CSPAN%3Enow%20accessible%20via%20Microsoft%20Graph%20API%20(as%20of%20November%202019)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FRiskyUsersAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERisky%20users%20API%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSigninsAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign-ins%20API%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FRiskDetectionsAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERisk%20detections%20API%3C%2FA%3E%3CSPAN%3E)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EPresumably%20you%20could%20use%20PowerAutomate%20(easy)%20or%20Azure%20Logic%20Apps%20(more%20programmatic)%20to%20be%20the%20intermediary%20connector%20between%20the%20Graph%20API%20and%20Azure%20Event%20Hub.%20I%20wasn't%20able%20to%20find%20a%20way%20to%20populate%20data%20from%20Microsoft%20Graph%20API%20directly%20into%20Azure%20Event%20Hub.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Feventhubs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Feventhubs%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1542434%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20SIEM%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1542434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588626%22%20target%3D%22_blank%22%3E%40carlochello%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20want%20to%20try%20the%20QRadar's%20integration%20with%20Graph%20API%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2FSS42VS_DSM%2Fcom.ibm.dsm.doc%2Fc_logsource_Microsoft_Graph_Security_protocol.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2FSS42VS_DSM%2Fcom.ibm.dsm.doc%2Fc_logsource_Microsoft_Graph_Security_protocol.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20benefit%20is%20QRadar%20will%20then%20receive%20events%20and%20alert%20from%20all%20your%20Microsoft%20security%20tooling%2C%20and%20through%20the%20single%20Graph%20API%20endpoint.%20If%20you're%20using%20more%20than%20AADIP%20this%20has%20to%20be%20a%20good%20thing%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E.%3C%2FP%3E%3CP%3EThe%20potential%20downside%20is%20it%20will%20be%20necessary%20to%20write%20the%20parsing%20rules%20in%20QRadar%2C%20as%20this%20is%20something%20IBM%20haven't%20provided%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20setting%20this%20up%20in%20our%20environment%20and%20will%20let%20you%20know%20how%20we%20get%20on%20if%20you're%20interested.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi all

We would like to integrate our AADIP system with QRadar platform, in order to forward alerts directly to the SIEM dashboard. To do this we would like to use the DSM connector available in the IBM Marketplace that is able to read events from Microsoft Event Hub.

Is there a way to forward alerts to Microsoft Monitor ad Event Hub?

 

This is the Microsoft documentation related to QRadar Event Hub integration https://developer.microsoft.com/en-us/graph/graph/docs/concepts/security-qradar-siemintegration

 

Thanks everybody for the answer

Carlo

 

 

2 Replies

@carlochello 

AADIP is now accessible via Microsoft Graph API (as of November 2019)

(Risky users APISign-ins APIRisk detections API), 

Presumably you could use PowerAutomate (easy) or Azure Logic Apps (more programmatic) to be the intermediary connector between the Graph API and Azure Event Hub. I wasn't able to find a way to populate data from Microsoft Graph API directly into Azure Event Hub.

https://docs.microsoft.com/en-us/connectors/eventhubs/

@carlochello 

You might want to try the QRadar's integration with Graph API:

https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_Microsoft_Graph_S...

 

The benefit is QRadar will then receive events and alert from all your Microsoft security tooling, and through the single Graph API endpoint. If you're using more than AADIP this has to be a good thing :smile:.

The potential downside is it will be necessary to write the parsing rules in QRadar, as this is something IBM haven't provided yet.

 

I am setting this up in our environment and will let you know how we get on if you're interested.