Microsoft Entra ID

The IBM® QRadar® DSM for Microsoft Entra ID Audit logs collects events such as user creation, role assignment, and group assignment events. The Microsoft Entra ID Sign-in logs collects user sign-in activity events.

Important: The Microsoft Azure Active Directory DSM name is now the Microsoft Entra ID DSM. The DSM RPM name remains as Microsoft Azure Active Directory in QRadar.
To integrate Microsoft Entra ID with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website. Download and install the most recent version of the following RPMs on your QRadar Console.
    • Protocol Common RPM
    • DSM Common
    • Microsoft Azure Event Hubs Protocol RPM
    • Microsoft Azure Platform DSM RPM
    • Microsoft Azure Active Directory DSM RPM
  2. If you do not have an existing storage account, create a storage account. For more information, see Create a storage account.
    Important: You must have a storage account to connect to an event hub. For more information, see Microsoft Azure Event Hubs protocol FAQ.
  3. If you do not have an existing event hub, create an event hub. For more information, see Quickstart: Create an event hub using Azure portal.
  4. Configure Microsoft Entra ID to forward events to an Azure Event Hub by streaming events through diagnostic logs. For more information, see Tutorial: Stream Azure Active Directory logs to an Azure Event Hub.
  5. If QRadar does not automatically detect the log source, add a Microsoft Entra ID log source on the QRadar Console by using the Microsoft Azure Event Hubs protocol. For more information about configuring the protocol, see Microsoft Active Directory log source parameters.