Microsoft Defender for Cloud

The IBM® QRadar® DSM for Microsoft Defender for Cloud collects JSON events from a Microsoft Defender® for Cloud. Events can be collected by using the Microsoft Graph Security API protocol and the Microsoft Azure Event Hubs protocol.

Important:

The Microsoft Azure Security Center DSM name is now the Microsoft Defender for Cloud DSM. The DSM RPM name remains as Microsoft Azure Security Center in QRadar.

To integrate Microsoft Defender for Cloud with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console:
    • Microsoft Defender for Cloud DSM RPM
    • Microsoft Graph Security API Protocol DSM (If you want to add a log source by using the Microsoft Graph Security API protocol, download this RPM.)
    • Microsoft Azure Event Hubs Protocol RPM (If you want to add a log source by using the Microsoft Azure Event Hubs protocol, download this RPM.)
  2. Optional: Configure Microsoft Defender for Cloud to send events to QRadar when you use Microsoft Graph Security API. For more information, see Export security alerts and recommendations https://docs.microsoft.com/en-us/azure/security-center/continuous-export).
  3. Optional: Configure Microsoft Defender for Cloud to send events to QRadar when you use Microsoft Azure Event Hub. For more information, see Stream alerts to QRadar (https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-to-qradar-and-splunk)
  4. Add a Microsoft Defender for Cloud log source on the QRadar Console.