Home

Azure Active Directory Identity Protection SIEM integration

%3CLINGO-SUB%20id%3D%22lingo-sub-1242103%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Identity%20Protection%20SIEM%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1242103%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20integrate%20our%20AADIP%20system%20with%20QRadar%20platform%2C%20in%20order%20to%20forward%20alerts%20directly%20to%20the%20SIEM%20dashboard.%20To%20do%20this%20we%20would%20like%20to%20use%20the%20DSM%20connector%20available%20in%20the%20IBM%20Marketplace%20that%20is%20able%20to%20read%20events%20from%20Microsoft%20Event%20Hub.%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20forward%20alerts%20to%20Microsoft%20Monitor%20ad%20Event%20Hub%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20Microsoft%20documentation%20related%20to%20QRadar%20Event%20Hub%20integration%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph%2Fdocs%2Fconcepts%2Fsecurity-qradar-siemintegration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph%2Fdocs%2Fconcepts%2Fsecurity-qradar-siemintegration%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20everybody%20for%20the%20answer%3C%2FP%3E%3CP%3ECarlo%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1242103%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407049%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Identity%20Protection%20SIEM%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407049%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588626%22%20target%3D%22_blank%22%3E%40carlochello%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAADIP%20is%26nbsp%3B%3CSPAN%3Enow%20accessible%20via%20Microsoft%20Graph%20API%20(as%20of%20November%202019)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FRiskyUsersAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERisky%20users%20API%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSigninsAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESign-ins%20API%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FRiskDetectionsAPI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERisk%20detections%20API%3C%2FA%3E%3CSPAN%3E)%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EPresumably%20you%20could%20use%20PowerAutomate%20(easy)%20or%20Azure%20Logic%20Apps%20(more%20programmatic)%20to%20be%20the%20intermediary%20connector%20between%20the%20Graph%20API%20and%20Azure%20Event%20Hub.%20I%20wasn't%20able%20to%20find%20a%20way%20to%20populate%20data%20from%20Microsoft%20Graph%20API%20directly%20into%20Azure%20Event%20Hub.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Feventhubs%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fconnectors%2Feventhubs%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi all

We would like to integrate our AADIP system with QRadar platform, in order to forward alerts directly to the SIEM dashboard. To do this we would like to use the DSM connector available in the IBM Marketplace that is able to read events from Microsoft Event Hub.

Is there a way to forward alerts to Microsoft Monitor ad Event Hub?

 

This is the Microsoft documentation related to QRadar Event Hub integration https://developer.microsoft.com/en-us/graph/graph/docs/concepts/security-qradar-siemintegration

 

Thanks everybody for the answer

Carlo

 

 

1 Reply
Highlighted

@carlochello 

AADIP is now accessible via Microsoft Graph API (as of November 2019)

(Risky users APISign-ins APIRisk detections API), 

Presumably you could use PowerAutomate (easy) or Azure Logic Apps (more programmatic) to be the intermediary connector between the Graph API and Azure Event Hub. I wasn't able to find a way to populate data from Microsoft Graph API directly into Azure Event Hub.

https://docs.microsoft.com/en-us/connectors/eventhubs/