Microsoft 365 Defender
The JSA Microsoft 365 Defender DSM collects events from a Microsoft 365 Defender service by using the Microsoft Azure Event Hubs protocol to collect Streaming API data, or the Defender for Endpoint SIEM REST API protocol for alert data.
The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in JSA.
Due to a change in the Microsoft Defender API suite as of November 25th 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. Existing integrations continue to function.
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to JSA. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub.
Integrate a Microsoft 365 Defender service when you use the Microsoft Azure Event Hubs protocol
If you want to integrate Microsoft 365 Defender with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.
-
Protocol Common RPM
-
Microsoft Azure Event Hubs Protocol RPM
-
DSMCommon RPM
-
Microsoft 365 Defender DSM RPM
-
-
Configure Microsoft 365 Defender to send advanced hunting events to a Microsoft Azure Event Hub. For more information, see Configure Microsoft Defender to stream Advanced Hunting events to your Azure Event Hub.
-
If JSA does not automatically detect the log source, add a Microsoft 365 Defender log source that uses the Microsoft Azure Event Hubs protocol on the JSA Console. For more information about the protocol, see Microsoft Azure Event Hubs log source parameters for Microsoft 365 Defender.
Integrate a Microsoft 365 Defender service when you use the Microsoft Defender for Endpoint SIEM REST API protocol
If you want to integrate a Microsoft Windows Defender ATP service with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.
-
Protocol Common RPM
-
Microsoft Defender for Endpoint SIEM REST API Protocol RPM
-
DSMCommon RPM
-
Microsoft 365 Defender DSM RPM
-
-
Add a Microsoft 365 Defender log source that uses the Microsoft Defender for Endpoint SIEM REST API protocol on the JSA Console. JSA does not automatically detect the Microsoft Defender for Endpoint SIEM REST API. For more information, see Microsoft Defender for Endpoint SIEM REST API Log Source Parameters for Microsoft 365 Defender.
Microsoft 365 Defender DSM Specifications
The following table identifies the specifications for the Microsoft 365 Defender DSM.
The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in JSA.
Due to a change in the Microsoft Defender API suite as of November 25th 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. Existing integrations continue to function.
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to JSA. For more information about the service and its configuration , see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub.
Specification |
Value |
|---|---|
Manufacturer |
Microsoft |
DSM name |
Microsoft 365 Defender |
RPM file name |
DSM-MicrosoftWindowsDefenderATP-JSA-version-Build_number.noarch.rpm |
Supported versions |
N/A |
Protocols |
Microsoft Defender for Endpoint SIEM REST API Microsoft Azure Event Hubs |
Event format |
JSON |
Recorded event types |
The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Azure Event Hubs protocol: Alerts (Alerts are supported only for Microsoft Defender for Endpoint.):
Device:
Email:
The Microsoft 365 Defender DSM supports the following events when you use the Microsoft Defender for Endpoint SIEM REST API protocol: Windows Defender ATP Windows Defender AV Third party TI Customer TI Bitdefender |
Automatically discovered? |
Yes |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Microsoft Defender for Endpoint SIEM REST API Log Source Parameters for Microsoft 365 Defender
If JSA does not automatically detect the log source, add a Microsoft 365 Defender log source on the JSA Console by using Microsoft Defender for Endpoint SIEM REST API protocol.
When you use the Microsoft Defender for Endpoint SIEM REST API protocol, there are specific parameters that you must use.
The Microsoft Windows Defender ATP DSM name is now the Microsoft 365 Defender DSM. The DSM RPM name remains as Microsoft Windows Defender ATP in JSA.
Due to a change in the Microsoft Defender API suite as of November 25th 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. Existing integrations continue to function.
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to JSA. For more information about the service and its configuration, see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub.
The following table describes the parameters that require specific values to collect Microsoft Defender for Endpoint SIEM REST API events from Microsoft 365 Defender:
|
Specification |
Value |
|---|---|
|
Log Source type |
Microsoft 365 Defender |
|
Protocol Configuration |
Microsoft Defender for Endpoint SIEM REST API |
For a complete list of Microsoft Defender for Endpoint SIEM REST API log source protocol parameters and their values, see Microsoft Defender for Endpoint SIEM REST API Protocol Configuration Options.
Microsoft Azure Event Hubs Log Source Parameters for Microsoft 365 Defender
If JSA does not automatically detect the log source, add a Microsoft 365 Defender log source on the JSA Console by using the Microsoft Azure Event Hubs protocol.
When you use the Microsoft Azure Event Hubs protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Microsoft Azure Event Hubs events from Microsoft 365 Defender:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Microsoft 365 Defender |
|
Protocol Configuration |
Microsoft Azure Event Hubs |
|
Log Source Identifier |
Use an identifiable name or IP address for the log source. When the Use as a Gateway Log Source parameter is enabled, the Log Source Identifier value is not used. |
For a complete list of Microsoft Azure Event Hubs protocol parameters and their values, see Microsoft Azure Event Hubs Protocol Configuration Options.
Microsoft 365 Defender Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Due to a change in the Microsoft Defender API suite as of November 25th 2021, Microsoft no longer allows the onboarding of new integrations with their SIEM API. Existing integrations continue to function.
The Streaming API can be used with the Microsoft Azure Event Hubs protocol to provide event and alert forwarding to JSA. For more information about the service and its configuration , see Configure Microsoft 365 Defender to stream Advanced Hunting events to your Azure Event Hub.
Microsoft 365 Defender Sample Messages when you use the Microsoft Azure Event Hubs Protocol
Sample 1: The following sample event message shows a successful scheduled task update.
"{"time":"2021-07-21T00:57:23.0186119Z","tenantId":"abc12345-123a-123a-456babcdefg12345","
operationName":"Publish","category":"AdvancedHunting-DeviceEvents","properties":
{"AccountSid":null,"AccountDomain":null,"AccountName":null,"LogonId":null,"FileName":null,"Folde
rPath":null,"MD5":null,"SHA1":null,"FileSize":null,"SHA256":null,"ProcessCreationTime":null,"Pro
cessTokenElevation":null,"RemoteUrl":null,"RegistryKey":null,"RegistryValueName":null,"RegistryV
alueData":null,"RemoteDeviceName":null,"FileOriginIP":null,"FileOriginUrl":null,"LocalIP":null,"
LocalPort":null,"RemoteIP":null,"RemotePort":null,"ProcessId":null,"ProcessCommandLine":null,"Ad
ditionalFields":"{\"TaskName\":\"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\Schedule
Maintenance
Work\"}","ActionType":"ScheduledTaskUpdated","InitiatingProcessVersionInfoCompanyName":null,"Ini
tiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"In
itiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":
null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessFolderPath":null,"Init
iatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessMD5":null,"Initia
tingProcessSHA256":null,"InitiatingProcessSHA1":null,"InitiatingProcessLogonId":999,"InitiatingP
rocessAccountSid":"S-1-5-18","InitiatingProcessAccountDomain":"m365defender","InitiatingProcessA
ccountName":"clientpc$","
InitiatingProcessAccountUpn":null,"InitiatingProcessAccountObjectId":null,"InitiatingProce
ssCreationTime":null,"InitiatingProcessId":null,"InitiatingProcessCommandLine":null,"InitiatingP
rocessParentCreationTime":null,"InitiatingProcessParentId":null,"InitiatingProcessParentFileName
":null,"DeviceId":"111122223333444455556666777788889999aaaa","AppGuardContainerId":"","MachineGr
oup":null,"Timestamp":"2021-07-21T00:55:44.2280946Z","DeviceName":"clientpc.
example.net","ReportId":60533}}" );|
JSA field name |
Highlighted payload field name |
|---|---|
|
Event Category |
category |
|
Event ID |
ActionType |
|
Device Time |
Timestamp |
Sample 2: The following sample event message shows an alert to possible keylogging activity.
{"time":"2021-09-09T00:40:17.7066896Z","tenantId":"abc12345-123a-123a-456babcdefg12345","
operationName":"Publish","category":"AdvancedHunting-AlertInfo","properties":
{"AlertId":"da637667448174310467_1631502683","Timestamp":"2021-09-09T00:39:17.1650944Z","Title":
"Possible keylogging activity","ServiceSource":"Microsoft Defender for
Endpoint","Category":"Collection","Severity":"High","DetectionSource":"EDR","MachineGroup":null,
"AttackTechniques":"[\"Input Capture (T1056)\"]"}}|
JSA field name |
Highlighted payload field name |
|---|---|
|
Event Category |
category |
|
Event ID |
Title |
|
Device Time |
Timestamp |
Microsoft 365 Defender sample messages when you use the Microsoft Defender for Endpoint SIEM REST API protocol
Sample 1: The following sample event message shows suspicious activity.
{"AlertTime":"2017-12-27T03:54:41.1914393Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"
<AlertTitle>","Category":"CommandAndControl","Severity":"<Severity>","AlertId":"<AlertId>","Acto
r":"<Actor>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","Creato
rIocName":"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<
FileName>","FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<Ioa
DefinitionId>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessed
TimeUtc":"2017-12-27T07:16:34.1412283Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<Thr
eatFamily>","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIs
Success":"<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>
","WasExecutingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUs
ers":"<LogOnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv
4List":"192.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileH
ash":"<FileHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}|
JSA field name |
Highlighted payload field name |
|---|---|
|
Device Time |
AlertTime |
|
Event ID |
Category |
|
Source IP |
IpAddress |
|
Source IP v6 |
InternalIPv6List |
|
Username |
UserName |
Sample 2: The following sample event message shows that a backdoor access is detected.
{"AlertTime":"2017-11-22T18:01:32.1887775Z","ComputerDnsName":"<ComputerDnsName>","AlertTitle":"
<AlertTitle>","Category":"Backdoor","Severity":"<Severity>","AlertId":"<AlertId","Actor":"<Actor
>","LinkToWDATP":"<LinkToWDATP>","IocName":"<IocName>","IocValue":"<IocValue>","CreatorIocName":
"<CreatorIocName>","CreatorIocValue":"<CreatorIocValue>","Sha1":"<Sha1>","FileName":"<FileName>"
,"FilePath":"<FilePath>","IpAddress":"192.0.2.0","Url":"<Url>","IoaDefinitionId":"<IoaDefinition
Id>","UserName":"qradar1","AlertPart":"<AlertPart>","FullId":"<FullId>","LastProcessedTimeUtc":"
2017-11-22T18:01:49.8739015Z","ThreatCategory":"<ThreatCategory>","ThreatFamily":"<ThreatFamily>
","ThreatName":"<ThreatName>","RemediationAction":"<RemediationAction>","RemediationIsSuccess":"
<RemediationIsSuccess>","Source":"WindowsDefenderAtp","Md5":"<Md5>","Sha256":"<Sha256>","WasExec
utingWhileDetected":"<WasExecutingWhileDetected>","UserDomain":"<UserDomain>","LogOnUsers":"<Log
OnUsers>","MachineDomain":"<MachineDomain>","MachineName":"<MachineName>","InternalIPv4List":"19
2.0.2.0;127.0.0.1","InternalIPv6List":"2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHash":"<Fil
eHash>","ExternalId":"<ExternalId>","IocUniqueId":"IocUniqueId"}|
JSA field name |
Highlighted payload field name |
|---|---|
|
Device Time |
AlertTime |
|
Event ID |
Category |
|
Source IP |
IpAddress |
|
Source IP v6 |
InternalIPv6List |
|
Username |
UserName |