Pull Microsoft 365 Defender incidents and streaming event data using security information and events management (SIEM) tools


Microsoft 365 Defender supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a wp-signup.phped AAD application representing the specific SIEM solution or connector installed in your environment.

For more information, see:

There are two primary models to ingest security information:

  1. Ingesting Microsoft 365 Defender incidents and their contained alerts from a REST API in Azure.
  2. Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.

Microsoft 365 Defender currently supports the following SIEM solution integrations:

Ingesting incidents from the incidents REST API

Incident schema

For more information on Microsoft 365 Defender incident properties including contained alert and evidence entities metadata, see Schema mapping.


Using the Microsoft 365 Defender Add-on for Splunk that supports:

  • Ingesting incidents that contain alerts from the following products, which are mapped onto Splunk’s Common Information Model (CIM):
    • Microsoft 365 Defender
    • Microsoft Defender for Endpoint
    • Microsoft Defender for Identity and Azure Active Directory Identity Protection
    • Microsoft Defender for Cloud Apps
  • Updating incidents in Microsoft 365 Defender from within Splunk
  • Ingesting Defender for Endpoint alerts (from the Defender for Endpoint’s Azure endpoint) and updating these alerts

For more information on the Microsoft 365 Defender Add-on for Splunk, see splunkbase.

Micro Focus ArcSight

The new SmartConnector for Microsoft 365 Defender ingests incidents into ArcSight and maps these onto its Common Event Framework (CEF).

For more information on the new ArcSight SmartConnector for Microsoft 365 Defender, see ArcSight Product Documentation.

The SmartConnector replaces the previous FlexConnector for Microsoft Defender for Endpoint.

Ingesting streaming event data via Event Hubs

First you need to stream events from your AAD tenant to your Event Hubs or Azure Storage Account. For more information, see Streaming API.

For more information on the event types supported by the Streaming API, see Supported streaming event types.


Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.

For more information on the Splunk Add-on for Microsoft Cloud Services, see splunkbase.

IBM QRadar

Use the new IBM QRadar Microsoft 365 Defender Device Support Module (DSM) that calls the Microsoft 365 Defender Streaming API that allows ingesting streaming event data from Microsoft 365 Defender products. For more information on supported event types, see Supported event types.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 14 times, 1 visits today)