如何在发送到外部 SIEM 解决方案(此处为 IBM QRADAR)之前过滤在事件中心收集的数据
[英]How to filter data collected in Event Hub before sending to an external SIEM Solution which is IBM QRADAR here
问题描述
One of my customer is trying to integrate IBM QRADAR SIEM with Azure.
我的一位客户正在尝试将 IBM QRADAR SIEM 与 Azure 集成。 They would like to send all data from various sources to Event Hub and the data would be related to Azure AD, Azure VMs, Key Vault etc.他们希望将来自各种来源的所有数据发送到事件中心,并且这些数据将与 Azure AD、Azure VM、Key Vault 等相关。
But my customer only wants to send Security related data from Event Hub and discard all the other data and then send only the security related data to IBM QRADAR.但我的客户只想从事件中心发送安全相关数据并丢弃所有其他数据,然后仅将安全相关数据发送到 IBM QRADAR。 What is the method to filter this data from Event Hub so that the SIEM solution doesn't get too much data which are not security related and choke the system.从事件中心过滤此数据的方法是什么,以便 SIEM 解决方案不会获得太多与安全无关的数据并阻塞系统。
1 个解决方案
解决方案1
0 2020-03-17 00:58:24
You can consider querying security related events only on an Azure Stream Analytics job and forward those to another eventhub which QRadar can read.您可以考虑仅在 Azure 流分析作业上查询与安全相关的事件,并将这些事件转发到 QRadar 可以读取的另一个 eventhub。
See more about ASA EH integration here - https://docs.microsoft.com/en-us/azure/event-hubs/process-data-azure-stream-analytics在此处查看有关 ASA EH 集成的更多信息 - https://docs.microsoft.com/en-us/azure/event-hubs/process-data-azure-stream-analytics
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.