We previously announced the SIEM REST API would be deprecated on 4/1/2022. We've listened to customer feedback and the API deprecation has been postponed for now, more details expected in Q3, 2022. We look forward to sharing exciting details about the Microsoft 365 Defender APIs in Microsoft Graph in Q3 2022.
If you didn't receive a Message Center post regarding this and you don't have any applications or systems calling the SIEM API - you will not be affected and can stop reading.
Actions we've taken to address this upcoming change:
Among the customers who are still calling the SIEM API, 50% are also calling either the Microsoft 365 Defender Incidents API, or the Defender for Endpoint Alerts API - which means they have already integrated with the two recommended APIs to migrate to.
Read on below about migration paths from the Microsoft Defender for Endpoint SIEM API to Microsoft 365 Defender Incidents API, Microsoft Defender for Endpoint's Alerts API, Microsoft 365 Defender's Event Streaming API, or to Microsoft Sentinel.
Each migration path has a table mapping fields from the SIEM API onto the Incidents API, the Alerts API, or the Events Streaming API.
1. Migrating from the SIEM API to the Microsoft 365 Defender Incidents API (figure 1) Fields no longer supported in current Microsoft 365 Defender Incident alert metadata:
Defender AV fields:RemediationAction(threatCategorymaps tomitreTechniques[ ])