Pull detections to your SIEM tools


Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Pull detections using security information and events management (SIEM) tools


Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.

Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:

  • IBM QRadar
  • Micro Focus ArcSight

Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the Partner application page and select the Security Information and Analytics section for full details.

To use either of these supported SIEM tools you'll need to:

For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection fields.