Microsoft Graph Security API protocol configuration options
To receive events from the Microsoft Graph Security API, configure a log source in IBM® QRadar® to use the Microsoft Graph Security API protocol.
The Microsoft Graph Security API protocol is an outbound/active protocol. Your DSM might also use this protocol. For a list of supported DSMs, see QRadar supported DSMs.
The following parameters require specific values to collect events from Microsoft Graph Security servers:
| Parameter | Value |
|---|---|
| Log Source type | A custom log source type or a specific DSM that uses this protocol. |
| Protocol Configuration | Microsoft Graph Security API |
| Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Microsoft Graph Security log source, ensure that you give each one a unique name. |
| Tenant ID |
The Tenant ID value that is used for Microsoft Azure Active Directory authentication. |
| Client ID | The Client ID parameter value from your application configuration of Microsoft Azure Active Directory. |
| Client Secret | You receive the Client Secret password when you configure Microsoft Azure Event Directory. This password confirms that
your user account is authorized to obtain an access token. You can obtain this value only when it is
created, and it cannot be recovered later. If you lose your client secret password, you must create a new API key to continue to receive events from the Microsoft Graph Security API. |
| API |
The API dictates the types and formats of events that the protocol can collect. Select an API that is compatible with the selected DSM. If you use the Microsoft Azure Security Center DSM, select Alerts V1. If you use the Microsoft 365 Defender® DSM, select Alerts V2. |
| Service |
Limits the events to a specific service or product. Select a product that is compatible with the selected DSM. You can use the Other option to remove the filter or to add more filter settings. If you use the Microsoft 365 Defender DSM, select Microsoft Defender for Endpoint. |
| Event Filter |
Retrieve events by using the Microsoft Security Graph API query filter. For example, severity eq 'high'. Do not type "filter=" before the filter parameter. For more information about writing queries, see Curated Sample Queries (https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries). |
| Use Proxy |
If QRadar accesses the Microsoft Graph Security API by proxy, enable this checkbox. If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields. If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port fields. |
| Proxy IP or Hostname |
The IP address or hostname of the proxy server. If the Use Proxy parameter is set to False, this option is hidden. |
| Proxy Port | The port number that is used to communicate with the proxy. The default is 8080. If the Use Proxy parameter is set to False, this option is hidden. |
| Proxy Username | The username that is used to communicate with the proxy. If Use Proxy is set to False, this option is hidden. |
| Proxy Password | The password that is used to access the proxy. If Use Proxy is set to False, this option is hidden. |
| Recurrence |
Type a time interval beginning at the Start Time to determine how frequently the poll scans for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H - 2 hours, 15M - 15 minutes. The default is 1M. |
| EPS Throttle | The maximum number of events per second (EPS). The default is 5000. |
| Show Advanced Options | To configure the advanced options for event collection, enable this option. |
| Login Endpoint | Specify the Azure AD Login Endpoint. The default value is
login.microsoftonline.com. If you disable Show Advanced Options, this option is hidden. |
| Graph API Endpoint | Specify the Microsoft Graph Security API URL. The default value is https://graph.microsoft.com. If you disable Show Advanced Options, this option is hidden. |