Merge pull request #3871 from MicrosoftDocs/main

[AutoPublish] main to live - 05/22 10:31 PDT | 05/22 23:01 IST

Author: Ruchika-mittal01

CloudAppSecurityDocs/migrate-to-supported-api-solutions.md

@@ -0,0 +1,49 @@
+---
+title: Migrate to Supported API Solutions
+description: This article describes how to transition from the legacy Defender for Cloud Apps SIEM agent to supported APIs.
+ms.date: 05/19/2025
+ms.topic: article
+---
+
+# Migrate from Defender for Cloud Apps SIEM agent to supported APIs
+
+Transitioning from the legacy [Defender for Cloud Apps SIEM agent ](siem.md) to supported APIs enables continued access to enriched activities and alerts data. While the APIs might not have exact one-to-one mappings to the legacy Common Event Format (CEF) schema, they provide comprehensive, enhanced data through integration across multiple Microsoft Defender workloads.
+
+## Recommended APIs for migration
+
+> To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
+>
+> - For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
+> - For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema. 
+> - For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+> - To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+## Field Mapping from Legacy SIEM to Supported APIs
+
+The table below compares the legacy SIEM agent’s CEF fields to the nearest equivalent fields in the Defender XDR Streaming API (advanced hunting event schema) and the Microsoft Graph Security Alerts API.
+
+
+| CEF Field (MDA SIEM)                  | Description                                                 | Defender XDR Streaming API (CloudAppEvents/AlertEvidence/AlertInfo)                             | Graph Security Alerts API (v2)                                 |
+|---------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------|
+| `start`                               | Activity or alert timestamp                                 | `Timestamp`                                                                                      | `firstActivityDateTime`                                        |
+| `end`                                 | Activity or alert timestamp                                 | None                                                                                             | `lastActivityDateTime`                                         |
+| `rt`                                  | Activity or alert timestamp                                 | `createdDateTime`                                                                                | `createdDateTime` / `lastUpdateDateTime` / `resolvedDateTime`  |
+| `msg`                                 | Alert or activity description as shown in the portal in a human readable format             | The closest structured fields that contribute to a similar description: `actorDisplayName`, `ObjectName`, `ActionType`, `ActivityType`        | `description`                                                  |
+| `suser`                               | Activity or alert subject user                              | `AccountObjectId`, `AccountId`, `AccountDisplayName`                                             | See `userEvidence` resource type                               |
+| `destinationServiceName`              | Activity or alert from the originating app (for example, SharePoint, Box)                     | `CloudAppEvents > Application`                                                                   | See `cloudApplicationEvidence` resource type                   |
+| `cs<X>Label`, `cs<X>`                 | Alert or activity dynamic fields (for example, target user, object)                  | `Entities`, `Evidence`, `additionalData`, `ActivityObjects`                                      | Various `alertEvidence` resource types                         |
+| `EVENT_CATEGORY_*`                    | High-level activity category                                | `ActivityType` / `ActionType`                                                                    | `category`                                                     |
+| `<name>`                              | Matched policy name                                         | `Title`, `alertPolicyId`                                                                         | `Title`, `alertPolicyId`                                       |
+| `<ACTION>` (Activities)               | Specific activity type                                      | `ActionType`                                                                                     | N/A                                                            |
+| `externalId` (Activities)             | Event ID                                                    | `ReportId`                                                                                       | N/A                                                            |
+| `requestClientApplication` (activities)| User agent of the client device in activities                               | `UserAgent`                                                                                      | N/A                                                            |
+| `Dvc` (activities)                    | Client device IP                                            | `IPAddress`                                                                                      | N/A                                                            |
+| `externalId` (Alert)                  | Alert ID                                                    | `AlertId`                                                                                        | `id`                                                           |
+| `<alert type>`                        | Alert type (for example, ALERT_CABINET_EVENT_MATCH_AUDI)           | -                                                                                                | -                                                              |
+| `Src` / `c6a1` (alerts)               | Source IP                                                   | `IPAddress`                                                                                      | `ipEvidence` resource type                                     |
+
+
+## Related content
+
+- [Generic SIEM integration](siem.md)
+- [Microsoft Sentinel integration (Preview)](siem-sentinel.md)

CloudAppSecurityDocs/release-notes.md

@@ -29,6 +29,18 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
 
 ## May 2025 
 
+### Changes to Microsoft Defender for Cloud Apps SIEM agent availability
+
+As part of our ongoing convergence process across Microsoft Defender workloads, [Microsoft Defender for Cloud Apps SIEM agents](siem.md) will be deprecated starting November 2025.
+
+To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
+- For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
+- For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema. 
+- For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+- To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+For detailed guidance see: [Migrate from Defender for Cloud Apps SIEM agent to supported APIs](migrate-to-supported-api-solutions.md)
+
 ### New and improved Cloud App Catalog page
 
 The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications.

CloudAppSecurityDocs/toc.yml

@@ -315,6 +315,8 @@ items:
     - name: Governing connected apps
       href: governance-actions.md
       displayName: governance actions
+- name: Integrate with SIEM and API solutions
+  items:
     - name: Manage events with SIEM solutions
       items:
       - name: Integrate with Microsoft Sentinel
@@ -323,6 +325,8 @@ items:
         href: siem.md
       - name: Troubleshooting SIEM solutions
         href: troubleshooting-siem.md
+    - name: Migrate from SIEM agents to supported API solutions
+      href: migrate-to-supported-api-solutions.md
     - name: Customize alert automation with Power Automate
       items:
       - name: Customize alert automation with Power Automate

unified-secops-platform/microsoft-sentinel-onboard.md

@@ -44,7 +44,7 @@ Before you begin, review the feature documentation to understand the product cha
 - [Alerts, incidents, and correlation in Microsoft Defender XDR](/defender-xdr/alerts-incidents-correlation)
 - [Automation with the unified security operations platform](/azure/sentinel/automation#automation-with-the-unified-security-operations-platform)
 
-The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to a primary workspace and multiple secondary workspaces (preview). If you have only one workspace when you onboard Microsoft Sentinel, that workspace is designated as the primary workspace. For more information, see [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579). In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.
+The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to a primary workspace and multiple secondary workspaces. If you have only one workspace when you onboard Microsoft Sentinel, that workspace is designated as the primary workspace. For more information, see [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579). In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.
 
 ### Microsoft Sentinel prerequisites
 
@@ -56,8 +56,8 @@ To onboard and use Microsoft Sentinel in the Defender portal, you must have the
 
   |Task |Microsoft Entra or Azure built-in role required |Scope  |
   |---------|---------|---------|
-  |**Onboard Microsoft Sentinel to the Defender portal**|[Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) in Microsoft Entra ID|Tenant|
-  |**Connect or disconnect a workspace with Microsoft Sentinel enabled**|[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |
+  |**Onboard Microsoft Sentinel to the Defender portal**|One of the following in Microsoft Entra ID:<br><br> - [Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) AND subscription [Owner](/azure/role-based-access-control/built-in-roles#owner) <br>- [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) AND subscription [Owner](/azure/role-based-access-control/built-in-roles#owner) <br>- [Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) AND [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) <br>- [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) AND [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)|Tenant|
+  |**Connect or disconnect a secondary workspace**|One of the following:<br><br>- [Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) AND subscription [Owner](/azure/role-based-access-control/built-in-roles#owner)<br>- [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) AND subscription [Owner](/azure/role-based-access-control/built-in-roles#owner)<br>- [Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) AND [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)<br>- [Security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) AND [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)<br>- Subscription [Owner](/azure/role-based-access-control/built-in-roles#owner)<br>- [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) AND [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor)|- Subscription Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |
   |**Change the primary workspace**|[Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) in Microsoft Entra ID|Tenant|
   |**View Microsoft Sentinel in the Defender portal**|[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) |Subscription, resource group, or workspace resource  |
   |**Query Microsoft Sentinel data tables or view incidents**  |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource       |
@@ -68,6 +68,9 @@ To onboard and use Microsoft Sentinel in the Defender portal, you must have the
 
   For more information, see [Roles and permissions in Microsoft Sentinel](/azure/sentinel/roles) and [Manage access to Microsoft Sentinel data by resource](/azure/sentinel/resource-context-rbac).
 
+  > [!IMPORTANT]
+  > Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ### Microsoft's unified SecOps platform prerequisites
 
 To unify capabilities with Defender XDR in Microsoft's unified SecOps platform, you must have the following resources and access:
@@ -80,7 +83,7 @@ If applicable, complete these prerequisites:
 
 |Service  |Prerequisite  |
 |---------|---------|
-|**Microsoft Purview Insider Risk Management***     |  If your organization uses Microsoft Purview Insider Risk Management, integrate that data by enabling the data connector **Microsoft 365 Insider Risk Management** on your primary workspace for Microsoft Sentinel. Disable that connector on any secondary workspaces for Microsoft Sentinel that you plan to onboard to the Defender portal. <br><br>- Install the **Microsoft Purview Insider Risk Management** solution from the **Content hub** on the primary workspace.<br>- Configure the data connector. <br><br>For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy).        |
+|**Microsoft Purview Insider Risk Management**    |  If your organization uses Microsoft Purview Insider Risk Management, integrate that data by enabling the data connector **Microsoft 365 Insider Risk Management** on your primary workspace for Microsoft Sentinel. Disable that connector on any secondary workspaces for Microsoft Sentinel that you plan to onboard to the Defender portal. <br><br>- Install the **Microsoft Purview Insider Risk Management** solution from the **Content hub** on the primary workspace.<br>- Configure the data connector. <br><br>For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy).        |
 |**Microsoft Defender for Cloud**     | To stream Defender for Cloud incidents that are correlated across all subscriptions of the tenant to the primary workspace for Microsoft Sentinel: <br><br>-  Connect the **Tenant-based Microsoft Defender for Cloud (Preview)** data connector in the primary workspace.<br>  - Disconnect the **Subscription-based Microsoft Defender for Cloud (Legacy)** alerts connector from all workspaces in the tenant. <br><br>If you don't want to stream correlated tenant data for Defender for Cloud to the primary workspace, continue to use the **Subscription-based Microsoft Defender for Cloud (Legacy)** connector on your workspaces. For more information, see [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](/azure/sentinel/ingest-defender-for-cloud-incidents).        |
 
 ## Onboard Microsoft Sentinel

unified-secops-platform/mto-advanced-hunting.md

@@ -35,7 +35,6 @@ In multitenant environments, advanced hunting queries can return a maximum of 50
 For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
 
 
-
 ## Run cross-tenant queries
 
 You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -75,8 +74,7 @@ You can run any query that you already have access to in the multitenant managem
 
 To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
 
-
-## Run cross-workspace queries (Preview)
+## Run cross-workspace queries
 
 To run queries across multiple workspaces in the same tenant, use the [workspace( ) expression](/azure/azure-monitor/logs/cross-workspace-query#query-across-log-analytics-workspaces-using-workspace), with the workspace identifier as the argument in your query to refer to a table in a different workspace.
 

unified-secops-platform/mto-incidents-alerts.md

@@ -26,8 +26,6 @@ Multi-tenant management for Microsoft Defender XDR and Microsoft Sentinel in the
 
 Manage incidents & alerts originating from multiple tenants and workspaces under **Incidents & alerts**.
 
-Multiple workspaces per tenant are supported in multitenant management as preview.
-
 ## View and investigate incidents
 
 To view or investigate an incident: