堆栈内存溢出
  简体   繁体   English

支持从 Azure 到 QRadar 的事件

[英]Supported events from Azure to QRadar

 原文  2021-09-23 05:00:39       azure/ qradar

问题描述

Are the resource logs (which are part of platform logs) from Azure supported in QRadar or do we need to build a custom parser for each of the resource type in the subscription? QRadar 是否支持来自Azure的资源日志(属于平台日志的一部分),或者我们是否需要为订阅中的每种资源类型构建自定义解析器?

I read the DSM documentation of QRadar , and it mentions platform activity logs, but not resource logs.我阅读了QRadar 的 DSM 文档,它提到了平台活动日志,但没有提到资源日志。 Let's take an example where we get gateway logs, websocket connection logs, request logs, etc. from our Azure deployment.举个例子,我们从 Azure 部署中获取网关日志、websocket 连接日志、请求日志等。 Are all resource logs supported by QRadar to be taken from event hub and integrate to QRadar (list of supported resource logs by QRadar)? QRadar 支持的所有资源日志是否都从事件中心获取并集成到 QRadar(QRadar 支持的资源日志列表)?

1 个解决方案

解决方案1
 0  2022-01-23 11:44:50

if I understand your question correctly you are looking to extend existing parsers to QR without having to implement custom properties.如果我正确理解您的问题,您希望将现有解析器扩展到 QR,而无需实现自定义属性。

For this IBM has published the "IBM QRadar Content Extension for Azure": https://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd为此,IBM 发布了“IBM QRadar Content Extension for Azure”: https ://exchange.xforce.ibmcloud.com/hub/extension/7a89f51852efa37de0809457ef1006dd

I recommend installing another extension "Microsoft Azure Security Center Connected Assets & Risks Connector" ( https://exchange.xforce.ibmcloud.com/hub/extension/0dbfab6a22bca7add7a99fa19fdd426f ), which allows you to monitor other risk events via ASC and integrate assets that are not yet parsed into the QR.我建议安装另一个扩展“Microsoft Azure 安全中心连接资产和风险连接器”( https://exchange.xforce.ibmcloud.com/hub/extension/0dbfab6a22bca7add7a99fa19fdd426f ),它允许您通过 ASC 监控其他风险事件并集成资产尚未解析为 QR。

And probably the best scenario how to solve issue with Azure log data is to run side-by-side QR + Sentinel and use Azure Sentinel and turn on Data Connectors for Azure specific resources.解决 Azure 日志数据问题的最佳方案可能是并行运行 QR + Sentinel 并使用 Azure Sentinel 并为 Azure 特定资源打开数据连接器。 This keeps you up to date with integration, data parsing and current buildin rules.这使您能够及时了解集成、数据解析和当前的内置规则。 We have this scenario deployed and it is for selected sources (Exchange, Teams, risk signins, etc.) and we monitor them via buildin rules in Sentinel.我们已经部署了这个场景,它适用于选定的来源(Exchange、Teams、风险登录等),我们通过 Sentinel 中的内置规则对其进行监控。 Subsequently, we integrate them into the QR see.随后,我们将它们整合到二维码中查看。 https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-qradar/ba-p/1488333 . https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-side-by-side-with-qradar/ba-p/1488333 We finally store the logs in QRadar, but we use Sentinel for Azure-specific rules and then integrate the incidents into QR.我们最终将日志存储在 QRadar 中,但我们将 Sentinel 用于 Azure 特定规则,然后将事件集成到 QR。

Regards.问候。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用AMQP从Azure Eventhub接收事件 - Receive events from Azure Eventhub using AMQP 从Azure中的RabbitMQ订阅和处理事件 - Subscribe and process events from RabbitMQ in Azure Pipe 事件从 Azure 事件中心到 Azure 服务总线 - Pipe Events from Azure Event Hub to Azure Service Bus JSON格式不受Azure存储REST API支持的异常 - JSON format Not supported exception from Azure storage REST API 不支持SQL Azure TEXTPTR - SQL Azure TEXTPTR is not supported 在 Windows Azure 机器上不受支持 - Not Supported on Windows Azure Machine SQL Azure 中是否支持“FOR XML” - Is or is not 'FOR XML' supported in SQL Azure 如何从启用定时器的 azure function 从 eventthub 获取事件? - How to fetch events from eventhub from a timer enabled azure function? Azure IoT中心-使用多个EventHubReceiver接收来自不同设备的事件 - Azure IoT Hub - Receive Events from different Devices with multiple EventHubReceiver 如何从 Microsoft Azure EventHub 获取事件计数? - How to get events count from Microsoft Azure EventHub?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM