Microsoft Defender for Endpoint SIEM REST API log source parameters for Microsoft 365 Defender

You can add a Microsoft 365 Defender® data source in your QRadar® product by using the Microsoft Defender for Endpoint SIEM REST API connector.

When you use the Microsoft Defender for Endpoint SIEM REST API connectorprotocol, there are specific parameters that you must use.

Attention: Due to a change in the Microsoft Defender API suite as of November 25th 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. Existing integrations continue to function.

The Streaming API can be used with the Microsoft Azure Event Hubs connector to provide event and alert forwarding to your QRadar product. For more information about the service and its configuration , see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub (https://docs.micosoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide)

The following table describes the parameters that require specific values to collect Microsoft Defender for Endpoint SIEM REST API events from Microsoft 365 Defender:

Table 1. Microsoft Defender for Endpoint SIEM REST API connector parameters for the Microsoft 365 Defender data source type
Parameter	Value
Data source type	Microsoft 365 Defender
Connector type	Microsoft Defender for Endpoint SIEM REST API

For a complete list of Microsoft Defender for Endpoint SIEM REST API data source connector parameters and their values, see Microsoft Defender for Endpoint SIEM REST API connector configuration options.

For more information about adding a data source, see Adding ingestion data sources.