Use the new Microsoft 365 Defender API for all your alerts - Microsoft Community...

Use the new Microsoft 365 Defender API for all your alerts

The new Microsoft 365 Defender alerts API, currently in public preview, enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration. 

The API provides alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection, and Microsoft Purview Data Loss Prevention and we will continue to expand it in the future. 

We want customers to have the best possible experience across Microsoft Defender products, which is enabled through the new, central API. Therefore we will be deprecating the Microsoft Defender for Endpoint SIEM API over time, but we want to ensure organizations have ample time to plan and prepare their migration to the new Microsoft 365 Defender APIs.  

You can find more information on the timeline here and additional details about the new API in this blog post. 

If you are currently using the SIEM API, we recommend starting to plan for the migration. Below you will find details on the different options that are available and how to get started today. 

1. Pulling MDE alerts into an external system (SIEM/SOAR) 
2. Calling the Microsoft 365 Defender alerts API directly 

Pulling Defender for Endpoint alerts into an external system 

If you are pulling Defender for Endpoint alerts into an external system, there are various supported options to give organizations the flexibility to work with the solution of their choice. 

• Microsoft Sentinel is a scalable, cloud-native, SIEM and SOAR solution. Delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. The Microsoft 365 Defender connector allows customers to easily pull in all their incidents and alerts from all Microsoft 365  
•  IBM Security QRadar SIEM provides centralized visibility and intelligent security analytics to identify and prevent threats and vulnerabilities from disrupting business operations. QRadar SIEM team has just announced the release of a new DSM that is integrated with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. New customers are welcome to take advantage of the new DSM upon release. Learn more about the new DSM and how to easily migrate to it at Microsoft 365 Defender - IBM Documentation 
• Splunk SOAR helps customers orchestrate workflows and automate tasks in seconds to work smarter and respond faster. Spunk SOAR is integrated with the new Microsoft 365 Defender APIs, including the alerts API. For more information, see Microsoft 365 Defender | Splunkbase 

• Defender products. To learn more about the integration, see Microsoft 365 Defender integration with Microsoft Sentinel | Microsoft Learn  

Additional integrations are listed in Technological partners of Microsoft 365 Defender | Microsoft Learn, or reach out to your SIEM / SOAR provider to learn about integrations they may provide.  

Calling the Microsoft 365 Defender alerts API directly 

The below table provides a mapping between the SIEM API to the Microsoft 365 Defender alerts API: 

Thanks for reading!

More information