Microsoft Graph Security API protocol configuration options

To receive events from the Microsoft Graph Security API, configure a log source in IBM® QRadar® to use the Microsoft Graph Security API protocol.

The Microsoft Graph Security API protocol is an outbound/active protocol. Your DSM might also use this protocol. For a list of supported DSMs, see QRadar supported DSMs.

The following parameters require specific values to collect events from Microsoft Graph Security servers:

Table 1. Microsoft Graph Security log source parameters
Parameter Value
Log Source type A custom log source type or a specific DSM that uses this protocol.
Protocol Configuration Microsoft Graph Security API
Tenant ID

The Tenant ID value that is used for Microsoft Azure Active Directory authentication.

Client ID The Client ID parameter value from your application configuration of Microsoft Azure Active Directory.
Client Secret The Client Secret parameter value from your application configuration of Microsoft Azure Active Directory.
Event Filter

Retrieve events by using the Microsoft Security Graph API query filter. For example, severity eq 'high'. Do not type "filter=" before the filter parameter.

For more information about writing queries, see Curated Sample Queries (https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries).

Use Proxy

If QRadar accesses the Microsoft Graph Security API by proxy, enable this checkbox.

If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields.

If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port fields.

Proxy IP or Hostname

The IP address or hostname of the proxy server.

If the Use Proxy parameter is set to False, this option is hidden.

Proxy Port The port number that is used to communicate with the proxy. The default is 8080.

If the Use Proxy parameter is set to False, this option is hidden.

Proxy Username The username that is used to communicate with the proxy.

If Use Proxy is set to False, this option is hidden.

Proxy Password The password that is used to access the proxy.

If Use Proxy is set to False, this option is hidden.

Recurrence

Type a time interval beginning at the Start Time to determine how frequently the poll scans for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H - 2 hours, 15M - 15 minutes. The default is 1M.

EPS Throttle The maximum number of events per second (EPS). The default is 5000.
Show Advanced Options To configure the advanced options for event collection, set this option to on.
Important: The advanced option values are in effect even if you do not alter the values.
Login Endpoint Specify the Azure AD Login Endpoint. The default value is login.microsoftonline.com.

If you disable Show Advanced Options, this option is hidden.

Graph API Endpoint Specify the Microsoft Graph Security API URL. The default value is https://graph.microsoft.com.

If you disable Show Advanced Options, this option is hidden.