This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 57.00000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hi All,
In my environment ,we have integrated Microsoft 365 defender (mde) -EDR with ArcSight ,in our case we receive only Alerts and Incidents events only in our ArcSight logs .which is creating more noise and we are not able to create any rule in ArcSight .So wanted to know if we can receive only incidents events from MDE console to ArcSight ?like only incidents events can be integrated with SIEM.
Thanks in Advance
I would think that incidents only would be an option. Can you recount how the ArcSight integration was setup initially? You can stream these alerts and incidents to Sentinel at no additional cost. Once option would be to link M365D to a Sentinel instance (just for this purpose). This could reveal additional options for ArcSight integration with more filtering options. For example, use the workspace data export to send the incidents table to an event hub.
