Microsoft Defender for Endpoint SIEM REST API protocol configuration options
The Microsoft Defender for Endpoint SIEM REST API protocol is an outbound/active protocol.
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar®. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)
| Parameter | Value |
|---|---|
| Log Source type | Microsoft 365 Defender |
| Protocol Configuration | Microsoft Defender for Endpoint SIEM REST API |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Microsoft Defender for Endpoint SIEM REST API log source, ensure that you give each one a unique name. |
| Authorization Server URL |
The URL for the server that provides the authorization to obtain an access token. The access token is used as the authorization to collect events from Microsoft 365 Defender. The Authorization Server URL uses the following
format:
|
| Resource | The resource that is used to access Microsoft 365 Defender SIEM API events. |
| Client ID |
Ensures that the user is authorized to obtain an access token. |
| Client Secret | The Client Secret value is displayed only one time, and then is no longer visible. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret. |
| Region |
Select the regions that are associated with Microsoft 365 Defender SIEM API that you want to collect logs from. |
| Other Region |
Type the names of any additional regions that are associated with the Microsoft 365 Defender SIEM API that you want to collect logs from. Use a comma-separated list; for example, region1,region2. |
| Use GCC Endpoints | Enable or disable the use of GCC and GCC High &
DOD endpoints. GCC and GCC High & DOD
endpoints are endpoints for US Government customers. Tip: When this parameter is enabled,
you cannot configure the Regions parameter.
For more information, see Microsoft Defender for Endpoint for US Government customers (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide). |
| GCC Type | Select GCC or GCC High & DOD.
|
| Use Proxy |
If a proxy for QRadar is configured, all traffic for the log source travels through the proxy so that QRadar can access the Microsoft 365 Defender SIEM API. Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields. |
| Recurrence |
You can specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days. The default is 5 M. |
| EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
If you need to create virtual machines (VMs) and test the connection between Microsoft Defender for Endpoint and QRadar, see Microsoft Defender for Endpoint evaluation lab (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-worldwide).