Integrate your SIEM tools with Microsoft Defender XDR

Applies to:

Pull Microsoft Defender XDR incidents and streaming event data using security information and events management (SIEM) tools

Note

Microsoft Defender XDR supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Microsoft Entra ID using the OAuth 2.0 authentication protocol for a registered Microsoft Entra application representing the specific SIEM solution or connector installed in your environment.

For more information, see:

There are two primary models to ingest security information:

  1. Ingesting Microsoft Defender XDR incidents and their contained alerts from a REST API in Azure.

  2. Ingesting streaming event data either through Azure Event Hubs or Azure Storage Accounts.

Microsoft Defender XDR currently supports the following SIEM solution integrations:

Ingesting incidents from the incidents REST API

Incident schema

For more information on Microsoft Defender XDR incident properties including contained alert and evidence entities metadata, see Schema mapping.

Splunk

Using the new, fully supported Splunk Add-on for Microsoft Security that supports:

  • Ingesting incidents that contain alerts from the following products, which are mapped onto Splunk's Common Information Model (CIM):

    • Microsoft Defender XDR
    • Microsoft Defender for Endpoint
    • Microsoft Defender for Identity and Microsoft Entra ID Protection
    • Microsoft Defender for Cloud Apps
  • Ingesting Defender for Endpoint alerts (from the Defender for Endpoint's Azure endpoint) and updating these alerts

  • Support for updating Microsoft Defender XDR Incidents and/or Microsoft Defender for Endpoint Alerts and the respective dashboards has moved to the Microsoft 365 App for Splunk.

For more information on:

Micro Focus ArcSight

The new SmartConnector for Microsoft Defender XDR ingests incidents into ArcSight and maps these onto its Common Event Framework (CEF).

For more information on the new ArcSight SmartConnector for Microsoft Defender XDR, see ArcSight Product Documentation.

The SmartConnector replaces the previous FlexConnector for Microsoft Defender for Endpoint that's now retired.

Elastic

Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution. The Elastic integration for Microsoft Defender XDR and Defender for Endpoint enables organizations to leverage incidents and alerts from Defender within Elastic Security to perform investigations and incident response. Elastic correlates this data with other data sources, including cloud, network, and endpoint sources using robust detection rules to find threats quickly. For more information on the Elastic connector, see: Microsoft M365 Defender | Elastic docs

Ingesting streaming event data via Event Hubs

First you need to stream events from your Microsoft Entra tenant to your Event Hubs or Azure Storage Account. For more information, see Streaming API.

For more information on the event types supported by the Streaming API, see Supported streaming event types.

Splunk

Use the Splunk Add-on for Microsoft Cloud Services to ingest events from Azure Event Hubs.

For more information on the Splunk Add-on for Microsoft Cloud Services, see the Microsoft Cloud Services Add-on on Splunkbase.

IBM QRadar

Use the new IBM QRadar Microsoft Defender XDR Device Support Module (DSM) that calls the Microsoft Defender XDR Streaming API that allows ingesting streaming event data from Microsoft Defender XDR products via Event Hubs or Azure Storage Account. For more information on supported event types, see Supported event types.

Elastic

For more information on the Elastic streaming API integration, see Microsoft M365 Defender | Elastic docs.

Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.