We previously announced the SIEM REST API would be deprecated on 4/1/2022.
We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022.
We look forward to sharing exciting details about the Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.
If you didn't receive a Message Center post regarding this and you don't have any applications or systems calling the SIEM API - you will not be affected and can stop reading.
Actions we've taken to address this upcoming change:
- Updated online documentation of SIEM Tool Integration to reflect this change in December 2021 and ceased enabling new customer onboarding to the SIEM API.
- Splunk's Microsoft 365 Defender Add-on for Splunk v1.3.0 and Microfocus ArcSight's SmartConnector for Microsoft 365 Defender already call Microsoft 365 Defender's Incidents API (Splunk's Add-on also supports the Microsoft Defender for Endpoint Alerts API). Previous connectors that called the SIEM API are no longer supported and customers should upgrade to the latest version.
Among the customers who are still calling the SIEM API, 50% are also calling either the Microsoft 365 Defender Incidents API, or the Defender for Endpoint Alerts API - which means they have already integrated with the two recommended APIs to migrate to.
Read on below about migration paths from the Microsoft Defender for Endpoint SIEM API to Microsoft 365 Defender Incidents API, Microsoft Defender for Endpoint's Alerts API, Microsoft 365 Defender's Event Streaming API, or to Microsoft Sentinel.
Each migration path has a table mapping fields from the SIEM API onto the Incidents API, the Alerts API, or the Events Streaming API.
1. Migrating from the SIEM API to the Microsoft 365 Defender Incidents API (figure 1)
Fields no longer supported in current Microsoft 365 Defender Incident alert metadata:
- Defender AV fields: RemediationAction (threatCategory maps to mitreTechniques[ ])
- Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags map onto devices/tags[ ]
- TI fields: IocName, IocValue, IoaDefinitionId, IocUniqueId (were mostly unused)
- Device IPs: InternalIPv4List, InternalIPv6List
- Links to Alert in Portal and to Incident in Portal (can be created with URL template)
Figure 1. Mapping SIEM API fields on to Microsoft 365 Defender Incident API fields
2. Migrating from the SIEM API to Defender for Endpoint Alert API (figure 2)
Fields no longer supported in Microsoft Defender for Endpoint Alert:
- Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
- Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
- TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
- Device IPs: InternalIPv4List, InternalIPv6List
- Links to Alert in Portal and to Incident in Portal (can be created with URL template)
Figure 2. Mapping SIEM API fields on to Defender for Endpoint Alerts API fields
- Mapping fields in the other direction: from Microsoft Defender for Endpoint Alerts API to the SIEM API - shows added value:
Figure 3. Mapping Defender for Endpoint Alerts API fields on to SIEM API fields
- As you can see, there's a lot more data in the Microsoft Defender for Endpoint Alerts API than was available in the SIEM API.
3. Migrating from the SIEM API to Microsoft 365 Defender Event Streaming API (see Appendix D).
Fields that do not appear in the Event Streaming API AlertInfo and AlertEvidence tables
- Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
- Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
- TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
- Device IPs: InternalIPv4List, InternalIPv6List
- Links to Alert in Portal and to Incident in Portal (can be created with URL template)
Figure 4. Mapping SIEM API fields on to Microsoft 365 Defender Streaming API Alert fields
4. Migrating when using SIEMs – upgrade from obsolete connectors to the new connectors
- Splunk: Update the legacy Splunk SIEM API Add-on that calls the Microsoft Defender for Endpoint SIEM API either to the Splunk Add-on for Microsoft Security or the Microsoft 365 Defender Add-on for Splunk v1.3.0 that calls the Microsoft 365 Defender Incidents API and also supports calling the Microsoft Defender for Endpoint Alerts API.
Note: Splunk and QRadar also support ingesting the Microsoft 365 Defender Streaming API (see figure 4) - MicroFocus ArcSight: Update thelegacy MicroFocus ArcSight FlexConnectorthat calls the Microsoft Defender for Endpoint SIEM API (no longer available/supported by ArcSight) to the new ArcSight SmartConnector for Microsoft 365 Defender that calls the Microsoft 365 Defender Incidents API.
Thank you,
Microsoft 365 Defender Team
