Microsoft 365 Defender DSM Specifications

The following table describes the specifications for the Microsoft 365 Defender DSM.

Important:
  • The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in QRadar.
  • Due to a change in the Microsoft Defender API suite as of 25 November 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. For more information, see Deprecating the legacy SIEM API (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).

    The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to QRadar. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)

Table 1. Microsoft 365 Defender DSM specifications
Specification Value
Manufacturer Microsoft
DSM name Microsoft 365 Defender
RPM file name DSM-MicrosoftWindowsDefenderATP-QRadar_version-build_number.noarch.rpm
Supported versions N/A
Protocols Microsoft Defender for Endpoint SIEM REST API

Microsoft Azure Event Hubs

Microsoft Graph Security API
Event format JSON
Recorded event types when you use the Microsoft Azure Event Hubs protocol.

The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Azure Event Hubs protocol:

Alerts (Alerts are supported only for Microsoft Defender for Endpoint.):

  • AlertInfo
  • AlertEvidence
Device:
  • DeviceInfo
  • DeviceNetworkInfo
  • DeviceProcessEvents
  • DeviceNetworkEvents
  • DeviceFileEvents
  • DeviceRegistryEvents
  • DeviceLogonEvents
  • DeviceEvents
  • DeviceFileCertificateInfo
  • DeviceImageLoadEvents
Email:
  • EmailEvents
  • EmailAttachmentInfo
  • EmailPostDeliveryEvents
  • EmailUrlInfo
Recorded event types when you use the Microsoft Defender for Endpoint SIEM REST API protocol.

Windows Defender ATP

Windows Defender AV

Third party TI

Customer TI

Bitdefender
Recorded event types when you use the Microsoft Graph Security API protocol.

Microsoft Defender for Endpoint Alerts V2

Microsoft Defender for Cloud App Security Alerts V2

Microsoft Defender for Identity Alerts V2

Microsoft Defender for Office 365 Alerts V2

Microsoft Defender for Azure AD Identity Protection Alerts V2

Microsoft Defender for Data Loss Prevention Alerts V2
Automatically discovered? Yes
Includes identity? Yes
Includes custom properties? No
More information

Microsoft 365 Defender documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide)