Integrate your SIEM tools with Microsoft Defender for Endpoint

Applies to:

Ingest alerts using security information and events management (SIEM) tools

Note

Microsoft Defender for Endpoint Alert is composed from one or more suspicious or malicious events that occurred on the device and their related details. The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see Alert methods and properties and List alerts.

Microsoft Defender for Endpoint supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment.

For more information, see:

Microsoft Defender for Endpoint currently supports the following SIEM solution integrations:

Ingesting incidents and alerts from the Microsoft 365 Defender and Microsoft Defender for Endpoint incidents and alerts REST APIs

Ingesting incidents from the Microsoft 365 Defender incidents REST API

For more information on the Microsoft 365 Defender incidents API, see incidents methods and properties.

Ingesting alerts from the Microsoft Defender for Endpoint alerts REST API

For more information on the Microsoft Defender for Endpoint alerts API, see alerts methods and properties.

SIEM tool integration with Microsoft Defender for Endpoint

Splunk

Using the Microsoft 365 Defender Add-on for Splunk that supports:

  • Ingesting Microsoft Defender for Endpoint alerts
  • Updating alerts in Microsoft Defender for Endpoint from within Splunk

For more information on the Microsoft 365 Defender Add-on for Splunk, see splunkbase.

Micro Focus ArcSight

The new SmartConnector for Microsoft 365 Defender ingests incidents that contain alerts from all Microsoft 365 Defender products - including from Microsoft Defender for Endpoint - into ArcSight and maps these onto its Common Event Framework (CEF).

For more information on the new ArcSight SmartConnector for Microsoft 365 Defender, see ArcSight Product documentation.

The SmartConnector replaces the previous FlexConnector for Microsoft 365 Defender.

IBM QRadar

Note

IBM QRadar integration with Microsoft 365 Defender, which include Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the Microsoft 365 Defender Streaming API that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on the new QRadar Microsoft 365 Defender DSM, see IBM QRadar Product Documentation, and for more information on Streaming API supported event types, see Supported event types.

New customers are no longer being onboarded using the previous QRadar Microsoft Defender ATP Device Support Module (DSM), and existing customers are encouraged to adopt the new Microsoft 365 Defender DSM as their single point of integration with all Microsoft 365 Defender products.

Ingesting Microsoft Defender for Endpoint events from the Microsoft 365 Defender event streaming API

Microsoft 365 Defender streaming event data includes alerts and other events from Microsoft Defender for Endpoint and other Microsoft Defender products. These events may be streamed to an Azure Storage Account or to Azure Event Hubs. The integration model via event hubs is currently supported by Splunk and IBM QRadar.

For more information, see Microsoft 365 Defender SIEM integration.