Pull detections to your SIEM tools

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Pull detections using security information and events management (SIEM) tools

Note

Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.

Microsoft Defender ATP currently supports the following SIEM tools:

  • Splunk
  • HP ArcSight

To use either of these supported SIEM tools you'll need to:

For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection fields.

Pull Microsoft Defender ATP detections using REST API

Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.

For more information, see Pull Microsoft Defender ATP detections using REST API.

In this section

Topic Description
Enable SIEM integration in Microsoft Defender ATP Learn about enabling the SIEM integration feature in the Settings page in the portal so that you can use and generate the required information to configure supported SIEM tools.
Configure Splunk to pull Microsoft Defender ATP detections Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
Configure HP ArcSight to pull Microsoft Defender ATP detections Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
Microsoft Defender ATP Detection fields Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
Pull Microsoft Defender ATP detections using REST API Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
Troubleshoot SIEM tool integration issues Address issues you might encounter when using the SIEM integration feature.