Configuring Microsoft Graph Security API to communicate with QRadar

Integrate the Microsoft Graph Security API with IBM QRadar before you use the protocol.

Before you begin

To integrate the Microsoft Graph Security API with QRadar, you need Microsoft Azure Active Directory.

Procedure

  1. If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar® Console.
    • Protocol Common RPM
    • Microsoft Graph Security API Protocol RPM
  2. Configure your Microsoft Graph Security API server to forward events to QRadar by following these instructions:
    1. Create an Azure AD application. For more information, see Use the portal to create an Azure AD application and service principal that can access resources (https://docs.microsoft.com/en-us/azure/active-directory/develop/how to-create-service-principal-portal).
    2. Set up an authorization in security API client applications. For more information, see Authorization and the Microsoft Graph Security API (https://docs.microsoft.com/en-us/graph/security-authorization).
      When you use the Alerts V1 API, you must include the following app roles in the Access Token:
      • SecurityEvents.Read.All
      • User.Read.All
      • SecurityActions.Read.All
      • IdentityRiskyUser.Read.All
      • IdentityRiskEvent.Read.All
      Important:

      When you use the Alerts V2 API, you must include the SecurityEvents.Read.All app role. Other types of events can require different roles.

      You must designate the app roles with Application permissions. If your environment does not accept Application permissions, you can use Delegated permissions.

  3. Add a Microsoft Security Graph API protocol log source on the QRadar Console by using a custom log source type or a specific DSM that uses this protocol.
    For more information about supported DSMs, see QRadar supported DSMs. For more information about adding a log source in QRadar, see Adding a log source.