MDE_365 _Integration with SIEM(ArcSight)

Akshyalakshmi Anandan Murali 20 Reputation points
2023-06-12T13:42:50.4533333+00:00

Hi All,

In my environment ,we have integrated Microsoft 365 defender (mde) -EDR with ArcSight ,in our case we receive only Alerts and Incidents events only in our ArcSight logs .which is creating more noise and we are not able to create any rule in ArcSight .So wanted to know if we can receive only incidents events from MDE console to ArcSight ?like only incidents events can be integrated with SIEM.

Thanks in Advance

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Intune | Configuration Manager | Deployment
Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2023-06-12T20:49:49.7833333+00:00

    I would think that incidents only would be an option. Can you recount how the ArcSight integration was setup initially? You can stream these alerts and incidents to Sentinel at no additional cost. Once option would be to link M365D to a Sentinel instance (just for this purpose). This could reveal additional options for ArcSight integration with more filtering options. For example, use the workspace data export to send the incidents table to an event hub.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.