Migrating Microsoft Defender for Endpoint REST API log sources to Microsoft Graph Security API log sources

Microsoft deprecated the legacy SIEM API. To continue to receive data from Microsoft Defender® for Endpoint in IBM® QRadar®, you must register a new application and create a Microsoft Graph Security API log source to collect the data.

For more information about the SIEM API deprecation, see Deprecating the legacy SIEM API (https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api/ba-p/3139643).

Procedure

  1. Register a new application.
    When you migrate to the Microsoft Graph Security API, the application permissions change; you must register a new application to ensure that the permissions are correct.
    1. Create an application that can be used to authenticate with the Microsoft Graph Security API.

      For more information, see Use the portal to create an Azure AD application and service principal that can access resources (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal).

    2. Set the SecurityAlert.Read.All application permission.
    3. On the Overview page, you can find the Client ID and Tenant ID. Copy this information for when you create a log source.
    4. On the Certificates and Secrets page, click New Secret to create the client secret for the log source. Copy this information for when you create a log source.
  2. Create a Microsoft 365 Defender log source that uses the Microsoft Graph Security API protocol.
    When you migrate to the Microsoft Graph Security API, you create a new log source to pull events from the new configuration. For more information, see Adding a log source.

    The following table describes the parameters that require specific values to collect Microsoft Graph Security API events from Microsoft 365 Defender.

    Table 1. Microsoft Graph Security API log source parameters for the Microsoft 365 Defender DSM
    Parameter Value
    Log Source type Microsoft 365 Defender DSM
    Protocol Configuration Microsoft Graph Security API
    Tenant ID Enter the value that you obtained in step 3.
    Client ID Enter the value that you obtained in step 3.
    Client Secret Enter the value that you obtained in step 4.
    API Alerts V2
    Service Microsoft Defender for Endpoint
    Show Advanced Options Enable this parameter to configure the Login Endpoint and Graph API Endpoint parameters.
    Important: If your deployment is in a Government Community Cloud (GCC) environment, the Login Endpoint and Graph API Endpoint have specific values. For more information about these values, see National cloud deployments (https://docs.microsoft.com/en-us/graph/deployments).
    Login Endpoint login.microsoftonline.com
    Graph API Endpoint https://graph.microsoft.com

    For more information about the Microsoft Graph Security API protocol parameters, see Microsoft Graph Security API protocol configuration options.