4.0 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic, ms.date
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection | Learn how to use REST API and configure supported security information and events management tools to receive and pull detections. | configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article | 10/16/2017 |
Pull detections to your SIEM tools
Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Pull detections using security information and events management (SIEM) tools
Note
- Microsoft Defender ATP Alert is composed from one or more detections
- Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following SIEM tools:
- Splunk
- HP ArcSight
To use either of these supported SIEM tools you'll need to:
- Enable SIEM integration in Microsoft Defender ATP
- Configure the supported SIEM tool:
For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection fields.
Pull Microsoft Defender ATP detections using REST API
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
For more information, see Pull Microsoft Defender ATP detections using REST API.
In this section
| Topic | Description |
|---|---|
| Enable SIEM integration in Microsoft Defender ATP | Learn about enabling the SIEM integration feature in the Settings page in the portal so that you can use and generate the required information to configure supported SIEM tools. |
| Configure Splunk to pull Microsoft Defender ATP detections | Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections. |
| Configure HP ArcSight to pull Microsoft Defender ATP detections | Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections. |
| Microsoft Defender ATP Detection fields | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. |
| Pull Microsoft Defender ATP detections using REST API | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API. |
| Troubleshoot SIEM tool integration issues | Address issues you might encounter when using the SIEM integration feature. |