Connecting to a Microsoft Defender for Endpoint data source

Connect the Microsoft Defender for Endpoint data source to IBM Security QRadar® Suite Software to enable your applications and dashboards to collect and analyze Microsoft Defender for Endpoint security data. Universal Data Insights connectors enable federated search across your security products.

Before you begin

Collaborate with a Microsoft Security Center administrator to get the permissions that are required for your user account to receive data through the connector.

To enable access to the Advanced hunting API for Microsoft Defender for Endpoint:
  1. Register an application for Microsoft Defender for Endpoint in the Azure Active Directory by following the directions in Use Microsoft Defender for Endpoint APIs (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp?view=o365-worldwide).

    When the new app dashboard is displayed, the Tenant and Client ID of this application are displayed. You need the Tenant and Client ID of this application in step 8.

  2. Select API Permissions.
  3. Click Add a permission > APIs my organization uses, then search for and select WindowsDefenderATP.
  4. Click Delegated permissions and select AdvancedQuery > AdvancedQuery.Read.
  5. Click Application permissions and select AdvancedQuery > AdvancedQuery.Read.All.
  6. Click Add permissions.
  7. Collaborate with the administrator to grant admin consent for the configured permissions.
  8. Click Certificates & secrets.
  9. To generate the client secret for this configured application, click New client secret. You need the client secret in step 8.
  10. Enter a description and choose a value from the Expires options for the client secret.

If you have a firewall between your cluster and the data source target, use the IBM® Security Edge Gateway to host the containers. The Edge Gateway must be V1.6 or later. For more information, see Edge Gateway.

About this task

The QRadar Suite Software connector for Microsoft Defender for Endpoint is designed to work with the Advanced hunting API. For more information about the Advanced hunting API, see Advanced hunting API (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide).

Structured Threat Information eXpression (STIX) is a language and serialization format that organizations use to exchange cyberthreat intelligence. The connector uses STIX patterning to query Microsoft Defender for Endpoint data and returns results as STIX objects. For more information about how the Microsoft Defender for Endpoint data schema maps to STIX, see Microsoft Defender for Endpoint stix-shifter repository (https://github.com/opencybersecurityalliance/stix-shifter/tree/develop/stix_shifter_modules/msatp).

Procedure

  1. Log in to IBM Security QRadar Suite Software.
  2. From the menu, click Connections > Data sources.
  3. On the Data Sources tab, click Connect a data source.
  4. Configure the connection to allow IBM Security QRadar Suite Software to connect to the data source.
  5. Configure the connection to allow QRadar Suite Software to connect to the data source.
    1. In the Data source name field, assign a name to uniquely identify the data source connection.
      You can create multiple connection instances to a data source so it would be good to clearly set them apart by name. Only alphanumeric characters and the following special characters are allowed: - . _
    2. In the Data source description field, write a description to indicate the purpose of the data source connection.
      You can create multiple connection instances to a data source, so it is useful to clearly indicate the purpose of each connection by description. Only alphanumeric characters and the following special characters are allowed: - . _
    3. If you have a firewall between your cluster and the data source target, use the Edge Gateway to host the containers. In the Edge gateway (optional) field, specify which Edge Gateway to use.
      Select an Edge Gateway to host the connectors that provide the communication between the data sources and QRadar Suite Software. It can take up to five minutes for the status of newly deployed data source connections on the Edge Gateway to show as being connected.
    4. In the Management IP address or Hostname field, set the IP address or hostname of the data source so that QRadar Suite Software can communicate with it.
    5. In the Host Port field, set the port number that is associated with the Base URL. The default is 443.
  6. Set the query parameters to control the behavior of the search query on the data source.
    1. In the Concurrent search limit field, set the number of simultaneous connections that can be made between QRadar Suite Software and the data source. The default limit for the number of connections is 4. The value must not be less than 1 and must not be greater than 100.
    2. In the Query search timeout limit field, set the time limit in minutes for how long the query is run on the data source. The default time limit is 30. When the value is set to zero, there is no timeout. The value must not be less than 1 and must not be greater than 120.
    3. In the Result size limit field, set the maximum number of entries or objects that are returned by search query. The default result size limit is 10,000. The value must not be less than 1 and must not be greater than 500,000.
    4. In the Query time range field, set the time range in minutes for the search, represented as the last X minutes. The default is 5 minutes. The value must not be less than 1 and must not be greater than 10,000.
    Important: If you increase the concurrent search limit and the result size limit, a greater amount of data can be sent from QRadar Suite Software, which increases the strain on the data sources. Increasing the query time range also increases the amount of data.
  7. Optional: If you need to customize the STIX attributes mapping, click Customize attribute mapping and edit the JSON blob to map new or existing properties to their associated target data source fields.
  8. Click Add a Configuration.
  9. Configure identity and access.
    1. Click Edit access and choose which users can connect to the data source and the type of access.
    2. In the Configuration name field, enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    3. In the Configuration description field, enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: - . _
    4. In the Tenant field, enter the tenant ID of the Azure Active directory application with access to the Advanced hunting API.
    5. In the Client Id field, enter the client ID of the Azure Active directory application with access to the Advanced hunting API.
    6. In the Client Secret field, enter the client secret of the Azure Active directory application with access to the Advanced hunting API.
    7. Click Add.
    8. To save your configuration and establish the connection, click Done.
  10. To edit your configurations, complete the following steps:
    1. On the Data Sources tab, select the data source connection that you want to edit.
    2. In the Configurations section, click Edit Configuration (Edit configuration icon).
    3. Edit the identity and access parameters and click Save.

Results

You can see the data source connection configuration that you added under Connections on the Data source settings page. A message on the card indicates connection with the data source.

When you add a data source, it might take a few minutes before the data source shows as being connected.
Tip: After you connect a data source, it might take up to 30 seconds to retrieve the data. Before the full data set is returned, the data source might display as unavailable. After the data is returned, the data source shows as being connected, and a polling mechanism occurs to validate the connection status. The connection status is valid for 60 seconds after every poll.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.

To use Data Explorer, you must have data sources that are connected so that the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on the data that is contained in your configured data sources. For more information about how to build a query in Data Explorer, see Build a query.