Deprecating the legacy SIEM API - Postponed
Published Feb 09 2022 08:01 AM 30.8K Views
Microsoft

We previously announced the SIEM REST API would be deprecated on 4/1/2022.
We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022.
We look forward to sharing exciting details about the ​Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.

 

If you didn't receive a Message Center post regarding this and you don't have any applications or systems calling the SIEM API - you will not be affected and can stop reading. 

 

Actions we've taken to address this upcoming change:

 

Among the customers who are still calling the SIEM API, 50% are also calling either the Microsoft 365 Defender Incidents API, or the Defender for Endpoint Alerts API - which means they have already integrated with the two recommended APIs to migrate to.

 

Read on below about migration paths from the Microsoft Defender for Endpoint SIEM API to Microsoft 365 Defender Incidents API, Microsoft Defender for Endpoint's Alerts API, Microsoft 365 Defender's Event Streaming API, or to Microsoft Sentinel.

Each migration path has a table mapping fields from the SIEM API onto the Incidents API, the Alerts API, or the Events Streaming API.

1. Migrating from the SIEM API to the Microsoft 365 Defender Incidents API (figure 1)
    Fields no longer supported in current Microsoft 365 Defender Incident alert metadata:

  • Defender AV fields: RemediationAction (threatCategory maps to mitreTechniques[ ])
  • Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags map onto devices/tags[ ]
  • TI fields: IocName, IocValue, IoaDefinitionId, IocUniqueId (were mostly unused)
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

MichaelShalev_0-1646395712192.png

Figure 1. Mapping SIEM API fields on to Microsoft 365 Defender Incident API fields

 

2. Migrating from the SIEM API to Defender for Endpoint Alert API (figure 2)
     Fields no longer supported in Microsoft Defender for Endpoint Alert:

  • Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
  • Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
  • TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

MichaelShalev_4-1646396076476.png

Figure 2. Mapping SIEM API fields on to Defender for Endpoint Alerts API fields

  • Mapping fields in the other direction: from Microsoft Defender for Endpoint Alerts API to the SIEM API - shows added value:

MichaelShalev_5-1646396397114.png

Figure 3. Mapping Defender for Endpoint Alerts API fields on to SIEM API fields

  • As you can see, there's a lot more data in the Microsoft Defender for Endpoint Alerts API than was available in the SIEM API.

3. Migrating from the SIEM API to Microsoft 365 Defender Event Streaming API (see Appendix D).
    Fields that do not appear in the Event Streaming API AlertInfo and AlertEvidence tables

  • Defender AV fields: ThreatCategory, RemediationAction, RemediationIsSuccess
  • Machine Tags: DeviceCreatedMachineTags, CloudCreatedMachineTags
  • TI fields: Actor, IocName, IocValue, IoaDefinitionId, IocUniqueId
  • Device IPs: InternalIPv4List, InternalIPv6List
  • Links to Alert in Portal and to Incident in Portal (can be created with URL template)

MichaelShalev_3-1644352144144.png

Figure 4. Mapping SIEM API fields on to Microsoft 365 Defender Streaming API Alert fields 

 

4. Migrating when using SIEMs – upgrade from obsolete connectors to the new connectors


Thank you,

Microsoft 365 Defender Team

9 Comments
Version history
Last update:
‎Mar 29 2022 12:40 PM
Updated by: