Microsoft 365 Defender

The data source type for Microsoft 365 Defender collects alerts that are forwarded from a Microsoft 365 Defender® service.
To integrate Microsoft 365 Defender with the QRadar® product, complete the following steps:
  1. Configure your Microsoft 365 platform to send alerts to the QRadar product. For more information, see Configuring Microsoft 365 Defender to communicate with the QRadar platform.
  2. Add a Microsoft 365 Defender data source.

For more information about adding a data source, see Adding ingestion data sources.

If you are an IBM® QRadar user, see Terminology changes for QRadar customers.

Integrate a Microsoft 365 Defender service when you use the Microsoft Defender for Endpoint SIEM REST API connector

If you want to integrate a Microsoft Windows Defender ATP service with QRadar, complete the following steps:
  1. Add a Microsoft 365 Defender log source that uses the Microsoft Defender for Endpoint SIEM REST API protocol on the QRadar Console. QRadar does not automatically detect the Microsoft Defender for Endpoint SIEM REST API. For more information, see Microsoft Defender for Endpoint SIEM REST API data source parameters for Microsoft 365 Defender.
  2. Optional: If you want to enable federated search for your Microsoft 365 Defender system, configure a connection to the data source. For more information, see Connecting data sources for federated search and querying.

For more information about adding a data source, see Adding ingestion data sources.

If you are an IBM QRadar user, see Terminology changes for QRadar customers.