To send alertsevents from Microsoft 365 Defender to
the QRadar® platform,
you must register a new application in the Microsoft Azure portal and register an application with
the Microsoft identity platform.
Procedure
- Create an application that can be used to authenticate with the Microsoft Graph REST API.
For more information, see Register an application with the Microsoft identity platform
(https://learn.microsoft.com/en-us/graph/auth-register-app-v2).
-
Register a new application in the Microsoft Azure portal (https://portal.azure.com).
- Set the SecurityAlert.Read.All application permission. For more
information, see the Specify the permissions your app requires to access the Reporting Web
Service documentation
(https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15)#specify-the-permissions-your-app-requires-to-access-the-reporting-web-service).
- On the Overview page of the application, locate and copy the
Client ID and Tenant ID values to a text editor. You
need these values when you configure the Microsoft 365 Defender data source in the QRadar platform.
- On the Certificates and Secrets page of the application, click
New Secret to create the client secret, and then copy the client secret value
to a text editor. You need this value for the Client Secret parameter value
when you configure the Microsoft 365 Defender data source in the QRadar platform. For more
information, see Add a client secret
(https://learn.microsoft.com/en-us/graph/auth-register-app-v2#add-a-client-secret).
What to do next
Add a Microsoft 365 Defender data source.
For more information about adding a data source, see Adding ingestion data
sources.
For more information about configuring a Microsoft 365 Defender data source that uses
the Universal Cloud REST API connector, see Universal
Cloud REST API data source parameters for
Microsoft 365 Defender.