IBM Security QRadar

 View Only

IBM QRadar and Microsoft Defender New Integration Release

By Gaurav Sharma posted Tue October 18, 2022 10:43 AM


The best way to predict the future is to create it. And our team has been working diligently on making it happen. 

I am delighted to announce that the Microsoft Defender DSM leveraging the new MS Defender Alerts_v2 API in Microsoft Graph is now released and is now available to all customers.

Earlier, we ran a very successful Early Access (EA) Program in conjunction with Microsoft’s private preview release. We enrolled a group of customers as part of the Program and their feedback has enabled us to deliver high-quality software into General Availability. 

This native integration initially supports Microsoft Defender for Endpoint (MDE), ensuring common customers have real-time visibility into all the actions being taken at their endpoints. Here are some of the intentional and unintentional actions that trigger alerts that are then sent to IBM QRadar SIEM via the MS Graph Defender API: 

  • Opening a phishing link 
  • Using removable media
  • Suspicious behaviour and failed logins 

Coming soon is the capability to ingest alerts from all Microsoft 365 Defender services – Identity, Cloud Apps, and O365 – giving customers a holistic view of their security landscape. 

In addition to the new Defender API, we continue to support the option to leverage Azure Event Hubs to bring MDE logs into QRadar SIEM. Below is what the process looks like: 

If you’d like to review the configuration instructions, they are available on our DSM Guide here

Huge shoutout to the Integrations Development team for their efforts in making this possible! Also, many thanks to my counterparts Naama Schlesinger and Michael Shalev at Microsoft for their support and collaboration. 

For any questions, please feel free to reach out to me on 


Thank you, 
Gaurav Sharma 
Product Manager, IBM Security