Microsoft Graph Security API connector configuration options
To receive events from the Microsoft Graph Security API, configure a data source in the QRadar® product to use the Microsoft Graph Security API connector.
The Microsoft Graph Security API connector is an active outbound connector. Your data source type might also use this connector.
The following parameters require specific values to collect events from Microsoft Graph Security servers:
| Parameter | Value |
|---|---|
| Data source type | A custom data source type or a specific data source type that uses this connector. |
| Connector type | Microsoft Graph Security API |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Microsoft Graph Security log source, ensure that you give each one a unique name. |
| Tenant ID |
The Tenant ID value that is used for Microsoft Azure Active Directory authentication. |
| Client ID | The Client ID parameter value from your application configuration of Microsoft Azure Active Directory. |
| Client Secret | The Client Secret parameter value from your application configuration of Microsoft Azure Active Directory. |
| Event Filter |
Retrieve events by using the Microsoft Security Graph API query filter. For example, severity eq 'high'. Do not type "filter=" before the filter parameter. For more information about writing queries, see Curated Sample Queries (https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries). |
| Use Proxy |
If QRadar accesses the Microsoft Graph Security API by proxy, enable this checkbox. If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields. If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port fields. |
| Proxy IP or Hostname |
The IP address or hostname of the proxy server. If the Use Proxy parameter is set to False, this option is hidden. |
| Proxy Port | The port number that is used to communicate with the proxy. The default is 8080. If the Use Proxy parameter is set to False, this option is hidden. |
| Proxy Username | The username that is used to communicate with the proxy. If Use Proxy is set to False, this option is hidden. |
| Proxy Password | The password that is used to access the proxy. If Use Proxy is set to False, this option is hidden. |
| Recurrence |
Type a time interval beginning at the Start Time to determine how frequently the poll scans for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H - 2 hours, 15M - 15 minutes. The default is 1M. |
| EPS Throttle | The maximum number of events per second (EPS). The default is 5000. |
| Show Advanced Options | To configure the advanced options for event collection, set this option to on. Important: The advanced option values are in effect even if you do not alter the
values.
|
| Login Endpoint | Specify the Azure AD Login Endpoint. The default value is
login.microsoftonline.com. If you disable Show Advanced Options, this option is hidden. |
| Graph API Endpoint | Specify the Microsoft Graph Security API URL. The
default value is https://graph.microsoft.com. If you disable Show Advanced Options, this option is hidden. |