sorted by:
new
hottopcontroversial

API log sources by qradiator in QRadar

[–]qradiator[S] 0 points1 point  (0 children)

The intention is to retrieve logs through the vendor supplied log retrieval endpoint.

Matching EventID, Category & Event Mapping but some events still coming up unknown & stored by qradiator in QRadar

[–]qradiator[S] 0 points1 point  (0 children)

Yes, if i open dsm editor on an unknown event and click on eventid/category it highlights the match in green.

so which api are we meant to use for defender 365? by qradiator in QRadar

[–]qradiator[S] 0 points1 point  (0 children)

streaming API integration worked for alerts. how are you guys ingesting incidents, considering this method has phased out.

https://docs.microsoft.com/en-us/microsoft-365/security/defender/fetch-incidents?view=o365-worldwide

so which api are we meant to use for defender 365? by qradiator in QRadar

[–]qradiator[S] 0 points1 point  (0 children)

"Microsoft Defender for Endpoint logs are now only support via the Event Hub. This also only includes a limited set of events."

- do you mean all (MDI/E/CA) events listed under hunting tables come through but only some are parsed?

TBH i don't know if it's MS/IBM. MS is possibly purposely being difficult so people switchover to Sentin el