Microsoft 365 Defender
The IBM® QRadar® Microsoft 365 Defender® DSM collects events from a Microsoft 365 Defender service by using the Microsoft Azure Event Hubs protocol to collect Streaming API data. You can use the Defender for Endpoint SIEM REST API protocol to collect alerts and device events from a Microsoft 365 Defender service.
The Microsoft 365 Defender DSM also collects alerts from the Microsoft Defender for Endpoint Service Alerts V2 API by using the Microsoft Graph API protocol.
- The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
- Due to a change in the Microsoft
Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations
with their SIEM API. For more information, see Deprecating the legacy SIEM API
(https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)
Integrate a Microsoft 365 Defender service when you use the Microsoft Azure Event Hubs protocol
- If automatic updates are not enabled, download the most recent versions of the RPMs from the
IBM support website (http://www.ibm.com/support).
- Protocol Common RPM
- Microsoft Azure Event Hubs Protocol RPM
- DSM Common RPM
- Microsoft 365 Defender DSM RPM
- Optional: Create a storage account. For more information, see Create a storage account.Important: You must have a storage account to connect to an event hub. For more information, see Microsoft Azure Event Hubs protocol FAQ.
- Optional: Create an event hub. For more information, see Quickstart: Create an event hub using Azure portal.
- Configure Microsoft 365 Defender to send advanced hunting events to a Microsoft Azure Event Hub. For more information, see Configure Microsoft Defender to stream Advanced Hunting events to your Azure Event Hub.
- If QRadar does not automatically detect the log source, add a Microsoft 365 Defender log source that uses the Microsoft Azure Event Hubs protocol on the QRadar Console. For more information about the protocol, see Microsoft Azure Event Hubs log source parameters for Microsoft 365 Defender.
Integrate a Microsoft 365 Defender service when you use the Microsoft Defender for Endpoint SIEM REST API protocol
- If automatic updates are not enabled, download the most recent versions of the RPMs from the
IBM support website.
- Protocol Common RPM
- Microsoft Defender for Endpoint SIEM REST API Protocol RPM
- DSMCommon RPM
- Microsoft 365 Defender DSM RPM
- Add a Microsoft 365 Defender log source that uses the Microsoft Defender for Endpoint SIEM REST API protocol on the QRadar Console. QRadar does not automatically detect the Microsoft Defender for Endpoint SIEM REST API. For more information, see Microsoft Defender for Endpoint SIEM REST API log source parameters for Microsoft 365 Defender.
Integrate a Microsoft Defender for Endpoint service when you use the Microsoft Graph Security API protocol
- If automatic updates are not enabled, download the most recent versions of the RPMs from the
IBM support website.
- Protocol Common RPM
- Microsoft Graph Security API Protocol RPM
- DSMCommon RPM
- Microsoft 365 Defender DSM RPM
- Add a Microsoft 365 Defender log source that uses the Microsoft Graph Security API protocol on the QRadar Console. QRadar does not automatically detect the Microsoft Graph Security API. For more information, see Microsoft Graph Security API log source parameters for Microsoft 365 Defender.