Microsoft 365 Defender

The IBM® QRadar® Microsoft 365 Defender® DSM collects events from a Microsoft 365 Defender service by using the Microsoft Azure Event Hubs protocol to collect Streaming API data, or the Defender for Endpoint SIEM REST API protocol for alert data.
Important:
  1. The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
  2. Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. For more information, see Deprecating the legacy SIEM API (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).

    The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)

Integrate a Microsoft 365 Defender service when you use the Microsoft Azure Event Hubs protocol

If you want to integrate Microsoft 365 Defender service with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM support website (http://www.ibm.com/support).
    • Protocol Common RPM
    • Microsoft Azure Event Hubs Protocol RPM
    • DSM Common RPM
    • Microsoft 365 Defender DSM RPM
  2. Configure Microsoft 365 Defender to send advanced hunting events to a Microsoft Azure Event Hub. For more information, see Configure Microsoft Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide).
  3. If QRadar does not automatically detect the log source, add a Microsoft 365 Defender log source that uses the Microsoft Azure Event Hubs protocol on the QRadar Console. For more information about the protocol, see Microsoft Azure Event Hubs log source parameters for Microsoft 365 Defender.

Integrate a Microsoft 365 Defender service when you use the Microsoft Defender for Endpoint SIEM REST API protocol

If you want to integrate a Microsoft Windows Defender ATP service with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM support website (http://www.ibm.com/support).
    • Protocol Common RPM
    • Microsoft Defender for Endpoint SIEM REST API Protocol RPM
    • DSMCommon RPM
    • Microsoft 365 Defender DSM RPM
  2. Add a Microsoft 365 Defender log source that uses the Microsoft Defender for Endpoint SIEM REST API protocol on the QRadar Console. QRadar does not automatically detect the Microsoft Defender for Endpoint SIEM REST API. For more information, see Microsoft Defender for Endpoint SIEM REST API log source parameters for Microsoft 365 Defender.