Troubleshoot SIEM tool integration issues

Applies to:

Note

Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph beta | Microsoft Learn.

Want to experience Defender for Endpoint? Sign up for a free trial.

Note

The new Microsoft 365 Defender alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. See Migrate from the MDE SIEM API to the Microsoft 365 Defender alerts API.

You might need to troubleshoot issues while pulling detections in your SIEM tools.

This page provides detailed steps to troubleshoot issues you might encounter.

Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.

  1. Log in to the Azure management portal.

  2. Select Azure Active Directory.

  3. Select your tenant.

  4. Click App registrations. Then in the applications list, select the application.

  5. Select Certificates & Secrets section, Click on New Client Secret, then provide a description and specify the validity duration.

  6. Click Save. The key value is displayed.

  7. Copy the value and save it in a safe place.

Error when getting a refresh access token

If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.

  1. Log in to the Azure management portal.

  2. Select Azure Active Directory.

  3. Select your tenant.

  4. Click App Registrations. Then in the applications list, select the application.

  5. Add the following URL:

    • For the European Union: https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback
    • For the United Kingdom: https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback
    • For the United States: https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback.
  6. Click Save.

Error while enabling the SIEM connector application

If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.