IBM Security QRadar

 View Only
  • 1.  Obtaining MS 365 Defender logs.

    Posted Mon March 20, 2023 11:37 AM
      |   view attached

    Hey guys,

    When configuring a new log source, being Microsoft 365 Defender, qradar fails to obtain, and gives me the following message (Unable to obtain a valid access token. Ensure that the Resource, Client Id, and Client Secret is entered correctly. An attempt will be made again at the next retry interval).

    I have doubts regarding the configuration of the new source with the resource field, in this field the qradar shows me the following message "The resource that is used to access Microsoft Defender for Endpoint events.", however I do not know what this resource is, it needs to be a url from what I understand, I left the following address "https://login.microsoftonline.com", but even so I receive the error status, in test all steps are completed successfully.

    Best Regards,

    André Dombrosque



    ------------------------------
    André Dombrosque
    Service IT Security
    São Paulo
    ------------------------------


  • 2.  RE: Obtaining MS 365 Defender logs.

    Posted Tue March 21, 2023 09:10 AM

    Hi,

    Microsoft Defender for Endpoint SIEM REST API protocol is deprecated, does not allow to onboard new integrations.

    Try Graph API or Azure EH. I would recommend Graph API because Azure EH does not really parse Alert evidence events in meaningful way



    ------------------------------
    [Ashish] [Khandewale] [Security Consultant]
    [SIOC]
    [IBM Canada]
    ------------------------------



  • 3.  RE: Obtaining MS 365 Defender logs.

    Posted Tue March 21, 2023 10:56 AM

    Hi,

    Ashish is right, you should use it Microsoft Graph Security API.

    If you need only alerts Defender Endpoint, you can use API: /alerts_v2 and Service: Microsoft Defender For Endpoint.

    99% events are parsed correctly with default Microsoft 365 Defender DSM,



    ------------------------------
    Sebastian Pinau
    ------------------------------



  • 4.  RE: Obtaining MS 365 Defender logs.

    Posted Tue March 21, 2023 11:37 AM

    Thanks.



    ------------------------------
    André Dombrosque
    Service IT Security
    São Paulo
    ------------------------------



  • 5.  RE: Obtaining MS 365 Defender logs.

    Posted Tue March 21, 2023 11:37 AM

    Thanks.



    ------------------------------
    André Dombrosque
    Service IT Security
    São Paulo
    ------------------------------