diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 2c0afe0601..0d95a0d4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -28,9 +28,9 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ->- +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index f408e29140..382f789aa7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -27,9 +27,10 @@ ms.topic: article Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c8..ef062f0c8e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ