Microsoft deprecated the legacy SIEM API. To
continue to receive data from Microsoft
Defender® for Endpoint in IBM®
QRadar®, you must register a new
application and create a Microsoft Graph Security API log
source to collect the data.
For more information about the SIEM API deprecation, see Deprecating the legacy SIEM API
(https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).
Procedure
- Register a new application.
When you migrate to the Microsoft Graph Security API, the application permissions change; you must register
a new application to ensure that the permissions are correct.
- Create an application that can be used to authenticate with the Microsoft Graph Security API.
- Set the SecurityAlert.Read.All application
permission.
- On the Overview page, you can find the Client
ID and Tenant ID. Copy this information for when you create a log
source.
- On the Certificates and Secrets page, click New
Secret to create the client secret for the log source. Copy this information for when
you create a log source.
- Create a Microsoft 365 Defender log source that uses the Microsoft Graph Security API protocol.
When you migrate to the Microsoft Graph Security API, you create a
new log source to pull events from the new configuration. For more information, see
Adding a log source.
The following table describes the parameters that require specific values to collect Microsoft Graph Security API events from Microsoft 365 Defender.
Table 1. Microsoft Graph Security API log source parameters for the Microsoft 365 Defender
DSM
Parameter |
Value |
Log Source type |
Microsoft 365 Defender DSM |
Protocol Configuration |
Microsoft Graph Security API |
Tenant ID |
Enter the value that you obtained in step 3. |
Client ID |
Enter the value that you obtained in step 3. |
Client Secret |
Enter the value that you obtained in step 4. |
API |
Alerts V2 |
Service |
Microsoft Defender for Endpoint |
Show Advanced Options |
Enable this parameter to configure the Login Endpoint and
Graph API Endpoint parameters.Important: If your deployment is in
a Government Community Cloud (GCC) environment, the Login Endpoint and
Graph API Endpoint have specific values. For more information about these
values, see National cloud deployments
(https://docs.microsoft.com/en-us/graph/deployments).
|
Login Endpoint |
login.microsoftonline.com |
Graph API Endpoint |
https://graph.microsoft.com |
For more information about the Microsoft Graph
Security API protocol parameters, see Microsoft Graph Security API protocol configuration options.