Enable SIEM integration in Microsoft Defender for Endpoint

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Enable security information and event management (SIEM) integration so you can pull detections from Microsoft 365 Defender. Pull detections using your SIEM solution or by connecting directly to the detections REST API.



  • The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles:

    • Security Administrator and either Global Administrator
    • Cloud Application Administrator
    • Application Administrator
    • Owner of the service principal
  • During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.

Enabling SIEM integration

  1. In the navigation pane, select Settings > Endpoints > APIs > SIEM.

    Image of SIEM integration from Settings menu1.


    If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.

  2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant.


    The client secret is only displayed once. Make sure you keep a copy of it in a safe place.

    Image of SIEM integration from Settings menu2.

  3. Choose the SIEM type you use in your organization.


    If you select HP ArcSight, you'll need to save these two configuration files:

    • WDATP-connector.jsonparser.properties
    • WDATP-connector.properties

    If you want to connect directly to the detections REST API through programmatic access, choose Generic API.

  4. Copy the individual values or select Save details to file to download a file that contains all the values.

  5. Select Generate tokens to get an access and refresh token.


    You'll need to generate a new Refresh token every 90 days.

  6. Follow the instructions for creating an Azure AD app registration for Microsoft Defender for Endpoint and assign the correct permissions to it to read alerts.

You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft 365 Defender.

Integrate Microsoft Defender for Endpoint with IBM QRadar

You can configure IBM QRadar to collect detections from Microsoft Defender for Endpoint. For more information, see IBM Knowledge Center.

See also