How to filter data collected in Event Hub before sending to an external SIEM Solution which is IBM QRADAR here

Question

One of my customer is trying to integrate IBM QRADAR SIEM with Azure. They would like to send all data from various sources to Event Hub and the data would be related to Azure AD, Azure VMs, Key Vault etc.

But my customer only wants to send Security related data from Event Hub and discard all the other data and then send only the security related data to IBM QRADAR. What is the method to filter this data from Event Hub so that the SIEM solution doesn't get too much data which are not security related and choke the system.

score 0 · Answer 1 · answered Mar 17 '20 at 00:58

You can consider querying security related events only on an Azure Stream Analytics job and forward those to another eventhub which QRadar can read.

See more about ASA EH integration here - https://learn.microsoft.com/en-us/azure/event-hubs/process-data-azure-stream-analytics

How to filter data collected in Event Hub before sending to an external SIEM Solution which is IBM QRADAR here

1 Answers1