Jun 16 2022 08:42 AM
Hi,
quick question:
in the "Event Filter" on Qradar we add:
vendorInformation/provider eq 'Azure Sentinel'
to get Sentinel events but is it possible to include another azure instances such as Cloud App, Identity, etc?
I mean, like:
provider eq 'Azure Sentinel, MCAS, IPS'
thank you
Jun 16 2022 09:17 AM
@Jesto001 A couple ways.
As a query example...
SecurityAlert
| where ProductName == "Microsoft Cloud App Security"
Using a filter in the UI (example in Incidents)...
Jun 17 2022 04:54 AM