Microsoft Defender for Endpoint SIEM REST API log source parameters for Microsoft 365 Defender

If IBM QRadar does not automatically detect the log source, add a Microsoft 365 Defender® log source on the QRadar Console by using Microsoft Defender for Endpoint SIEM REST API protocol.

When you use the Microsoft Defender for Endpoint SIEM REST API protocol, there are specific parameters that you must use.

Important:
  • The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
  • Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. For more information, see Deprecating the legacy SIEM API (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).

    The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)

The following table describes the parameters that require specific values to collect Microsoft Defender for Endpoint SIEM REST API events from Microsoft 365 Defender:
Table 1. Microsoft Defender for Endpoint SIEM REST API log source parameters for the Microsoft 365 Defender DSM
Parameter Value
Log Source type Microsoft 365 Defender
Protocol Configuration Microsoft Defender for Endpoint SIEM REST API

For a complete list of Microsoft Defender for Endpoint SIEM REST API log source protocol parameters and their values, see Microsoft Defender for Endpoint SIEM REST API protocol configuration options.