Microsoft Defender for Endpoint SIEM REST API protocol configuration options

Configure a Microsoft Defender® for Endpoint SIEM REST API protocol to receive events from supported Device Support Modules (DSMs).

The Microsoft Defender for Endpoint SIEM REST API protocol is an outbound/active protocol.

Important: Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. For more information, see Deprecating the legacy SIEM API (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).

The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)

The following table describes the protocol-specific parameters for the Microsoft Defender for Endpoint SIEM REST API protocol:
Table 1. Microsoft Defender for Endpoint SIEM REST API protocol
Parameter Value
Log Source type Microsoft 365 Defender
Protocol Configuration Microsoft Defender for Endpoint SIEM REST API
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Microsoft Defender for Endpoint SIEM REST API log source, ensure that you give each one a unique name.

Authorization Server URL

The URL for the server that provides the authorization to obtain an access token. The access token is used as the authorization to collect events from Microsoft 365 Defender.

The Authorization Server URL uses the following format:
"https://login.microsoftonline.com/<Tenant_ID>/oauth2/token”
where <Tenant_ID> is a UUID.
Resource The resource that is used to access Microsoft 365 Defender SIEM API events.
Client ID

Ensures that the user is authorized to obtain an access token.

Client Secret The Client Secret value is displayed only one time, and then is no longer visible. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret.
Region

Select the regions that are associated with Microsoft 365 Defender SIEM API that you want to collect logs from.

Other Region

Type the names of any additional regions that are associated with the Microsoft 365 Defender SIEM API that you want to collect logs from.

Use a comma-separated list; for example, region1,region2.

Use GCC Endpoints Enable or disable the use of GCC and GCC High & DOD endpoints. GCC and GCC High & DOD endpoints are endpoints for US Government customers.
Tip: When this parameter is enabled, you cannot configure the Regions parameter.

For more information, see Microsoft Defender for Endpoint for US Government customers (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide).

GCC Type Select GCC or GCC High & DOD.
  • GCC: Microsoft's Government Community Cloud
  • GCC High & DoD: Compliant with the regulations from Department of Defense.
Use Proxy

If a proxy for QRadar is configured, all traffic for the log source travels through the proxy so that QRadar can access the Microsoft 365 Defender SIEM API.

Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Recurrence

You can specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days.

The default is 5 M.

EPS Throttle

The maximum number of events per second that QRadar ingests.

If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

The default is 5000.

If you need to create virtual machines (VMs) and test the connection between Microsoft Defender for Endpoint and QRadar, see Microsoft Defender for Endpoint evaluation lab (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluation-lab?view=o365-worldwide).