Integrate the Microsoft Graph Security API
with IBM
QRadar before you use
the protocol.
Before you begin
To integrate the Microsoft Graph Security API
with QRadar, you need Microsoft Azure Active Directory.
Procedure
- If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent
version of the following RPMs on your QRadar® Console.
- Protocol Common RPM
- Microsoft Graph Security API Protocol RPM
- Configure your Microsoft Graph Security API server to forward events to QRadar by following these
instructions:
- Create an Azure AD application. For more information, see Use the portal to create an Azure AD application and service
principal that can access resources
(https://docs.microsoft.com/en-us/azure/active-directory/develop/how
to-create-service-principal-portal).
- Set up an authorization in security API client applications. For more information, see
Authorization and the Microsoft Graph
Security API (https://docs.microsoft.com/en-us/graph/security-authorization).
When you use the Alerts V1 API, you must include the following app roles in the Access Token:
- SecurityEvents.Read.All
- User.Read.All
- SecurityActions.Read.All
- IdentityRiskyUser.Read.All
- IdentityRiskEvent.Read.All
Important:
When you use the Alerts V2 API, you must include the
SecurityEvents.Read.All app role. Other types of events can require different
roles.
You must designate the app roles with Application permissions. If your
environment does not accept Application permissions, you can use
Delegated permissions.
- Add a Microsoft Security Graph API protocol
log source on the QRadar
Console by using
a custom log source type or a specific DSM that uses this protocol.