Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Deprecating the legacy SIEM API - Postponed

Michael Shalev's avatar
Feb 09, 2022

We previously announced the SIEM REST API would be deprecated on 4/1/2022.
We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022.
We look forward to sharing exciting details about the ​Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.

 

If you didn't receive a Message Center post regarding this and you don't have any applications or systems calling the SIEM API - you will not be affected and can stop reading. 

 

Actions we've taken to address this upcoming change:

 

Among the customers who are still calling the SIEM API, 50% are also calling either the Microsoft 365 Defender Incidents API, or the Defender for Endpoint Alerts API - which means they have already integrated with the two recommended APIs to migrate to.

 

Read on below about migration paths from the Microsoft Defender for Endpoint SIEM API to Microsoft 365 Defender Incidents API, Microsoft Defender for Endpoint's Alerts API, Microsoft 365 Defender's Event Streaming API, or to Microsoft Sentinel.

Each migration path has a table mapping fields from the SIEM API onto the Incidents API, the Alerts API, or the Events Streaming API.

1. Migrating from the SIEM API to the Microsoft 365 Defender Incidents API (figure 1)
    Fields no longer supported in current Microsoft 365 Defender Incident alert metadata:

  • Defender AV fields: RemediationAction (threatCategory maps to mitreTechniques[ ])
  • Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags map onto devices/tags[ ]
  • TI fields: IocName, IocValue, IoaDefinitionId, IocUniqueId (were mostly unused)
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

Figure 1. Mapping SIEM API fields on to Microsoft 365 Defender Incident API fields

 

2. Migrating from the SIEM API to Defender for Endpoint Alert API (figure 2)
     Fields no longer supported in Microsoft Defender for Endpoint Alert:

  • Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
  • Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
  • TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

Figure 2. Mapping SIEM API fields on to Defender for Endpoint Alerts API fields

  • Mapping fields in the other direction: from Microsoft Defender for Endpoint Alerts API to the SIEM API - shows added value:

Figure 3. Mapping Defender for Endpoint Alerts API fields on to SIEM API fields

  • As you can see, there's a lot more data in the Microsoft Defender for Endpoint Alerts API than was available in the SIEM API.

3. Migrating from the SIEM API to Microsoft 365 Defender Event Streaming API (see Appendix D).
    Fields that do not appear in the Event Streaming API AlertInfo and AlertEvidence tables

  • Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
  • Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
  • TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

Figure 4. Mapping SIEM API fields on to Microsoft 365 Defender Streaming API Alert fields 

 

4. Migrating when using SIEMs – upgrade from obsolete connectors to the new connectors


Thank you,

Microsoft 365 Defender Team

Updated Mar 29, 2022
Version 5.0
  • philipbrinkSA's avatar
    philipbrinkSA
    Copper Contributor

    Hi, I need to integrate SIEM connector using a LTA to the Client the service has been deprecated, how do I obtain the typical URL's etc  Authorization server URL and resource

     

     

  • ceemon's avatar
    ceemon
    Copper Contributor

    Has anyone that used the old SIEM API and the new Streaming API ran into impacts because of how suppression alerts are handled when migrating? I loved the old SIEM API because we always received Alerts (AlertInfo) which we could then fully consume artifacts for at api.security.microsoft.com with our SOAR. The Streaming API also includes alert suppressions which are not consumable the same way. For those looking to reduce the amount of API calls and noise in SIEMs, this creates major headaches when trying to tune! Am I alone or has these changes impacted people's desire to leverage suppression alerts in MDE because of the impact on SOARs & home grown automation that highly depend on MS alert suppressions being excluded from the streams?

     

     

  • Shawn225's avatar
    Shawn225
    Copper Contributor

    Thank you for the great content.

     

    Is there any way to calculate how much raw data a tenant has?

     

    After this deprecation announcement, we are considering streaming our Defender logs to Azure Event Hubs.

    We would like to see how much cost it will take to export the defender raw data to Azure Event Hubs.

     

    If theres any KQL that we could make use of, it will be very helpful.

     Thank you

     

  • tennisr7's avatar
    tennisr7
    Copper Contributor

    Hey Jake_Mowrer appreciate the follow up.. 

     

    assuming the AzureAD Graph API is not utilised at all by my API client, and I'm only interested in fetching the alerts from ATP. If I add the the Alerts.Read.All permission for Windows Defender ATP to the existing app registration would that suffice? My concern is that Microsoft clean up the app registration by deleting it when the legacy APIs are deprecated, if this is not the case then I don't think building a new app is necessary, am I right in saying that?

     

    Thanks again!

     

  • tennisr7 since that Azure AD app WindowsDefenderATPSiemConnector references the Azure AD Graph API as well which is also being deprecated, it's best to create a new app and add any additional permissions there.
    Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs
    AAD Graph API deprecation FAQ: Azure AD Graph to Microsoft Graph migration FAQ - Microsoft Graph | Microsoft Docs

    ** Please note the Azure AD Graph API is different than the Microsoft Graph (AKA Intelligent Security Graph (ISG)).  The Microsoft Graph is NOT being deprecated.**

  • tennisr7's avatar
    tennisr7
    Copper Contributor

    When the legacy API is deprecated on April 1st what will happen to the app registration WindowsDefenderATPSiemConnector? Will that be automatically deprovisioned in my Azure AD tenant or will I be able to leverage it with the alerts API by editing the API permissions and scopes?

  • Trevor_Rusher's avatar
    Trevor_Rusher
    Icon for Community Manager rankCommunity Manager
    Great article Michael, the migration path info is going to be incredibly helpful!