Pull detections to your SIEM tools
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Pull detections using security information and events management (SIEM) tools
- Microsoft Defender ATP Alert is composed from one or more detections.
- Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Device and its related Alert details. -The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see Alert methods and properties and List alerts.
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
- IBM QRadar
- Micro Focus ArcSight
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the Partner application page and select the Security Information and Analytics section for full details.
To use either of these supported SIEM tools you'll need to:
- Enable SIEM integration in Microsoft Defender ATP
- Configure the supported SIEM tool:
- Configure HP ArcSight to pull Microsoft Defender ATP detections
- Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see IBM Knowledge Center.
For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection fields.