Thanks.
Original Message:
Sent: Tue March 21, 2023 10:55 AM
From: Sebastian Pinau
Subject: Obtaining MS 365 Defender logs.
Hi,
Ashish is right, you should use it Microsoft Graph Security API.
If you need only alerts Defender Endpoint, you can use API: /alerts_v2 and Service: Microsoft Defender For Endpoint.
99% events are parsed correctly with default Microsoft 365 Defender DSM,
------------------------------
Sebastian Pinau
Original Message:
Sent: Tue March 21, 2023 09:10 AM
From: Ashish Khandewale
Subject: Obtaining MS 365 Defender logs.
Hi,
Microsoft Defender for Endpoint SIEM REST API protocol is deprecated, does not allow to onboard new integrations.
Try Graph API or Azure EH. I would recommend Graph API because Azure EH does not really parse Alert evidence events in meaningful way
------------------------------
[Ashish] [Khandewale] [Security Consultant]
[SIOC]
[IBM Canada]
Original Message:
Sent: Mon March 20, 2023 11:37 AM
From: André Dombrosque
Subject: Obtaining MS 365 Defender logs.
Hey guys,
When configuring a new log source, being Microsoft 365 Defender, qradar fails to obtain, and gives me the following message (Unable to obtain a valid access token. Ensure that the Resource, Client Id, and Client Secret is entered correctly. An attempt will be made again at the next retry interval).
I have doubts regarding the configuration of the new source with the resource field, in this field the qradar shows me the following message "The resource that is used to access Microsoft Defender for Endpoint events.", however I do not know what this resource is, it needs to be a url from what I understand, I left the following address "https://login.microsoftonline.com", but even so I receive the error status, in test all steps are completed successfully.
Best Regards,
André Dombrosque
------------------------------
André Dombrosque
Service IT Security
São Paulo
------------------------------