Skip to content

Commit daae071

Browse files
DeCohenDeCohen
committed
Merge branch 'WI432220-new-article-migrate-siem-api-solution' of https://github.com/DeCohen/defender-docs-pr into WI432220-new-article-migrate-siem-api-solution
2 parents 5da394e + af3504b commit daae071

File tree

3 files changed

+67
-0
lines changed

3 files changed

+67
-0
lines changed

CloudAppSecurityDocs/migrate-to-supported-api-solutions.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
title: Migrate to Supported API Solutions
3+
description: This article describes how to transition from the legacy Defender for Cloud Apps SIEM agent to supported APIs.
4+
ms.date: 05/19/2025
5+
ms.topic: article
6+
---
7+
8+
# Migrate from Defender for Cloud Apps SIEM agent to supported APIs
9+
10+
Transitioning from the legacy [Defender for Cloud Apps SIEM agent ](siem.md) to supported APIs enables continued access to enriched activities and alerts data. While the APIs might not have exact one-to-one mappings to the legacy Common Event Format (CEF) schema, they provide comprehensive, enhanced data through integration across multiple Microsoft Defender workloads.
11+
12+
## Recommended APIs for migration
13+
14+
> To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
15+
>
16+
> - For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
17+
> - For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema.
18+
> - For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
19+
> - To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
20+
21+
## Field Mapping from Legacy SIEM to Supported APIs
22+
23+
The table below compares the legacy SIEM agent’s CEF fields to the nearest equivalent fields in the Defender XDR Streaming API (advanced hunting event schema) and the Microsoft Graph Security Alerts API.
24+
25+
26+
| CEF Field (MDA SIEM) | Description | Defender XDR Streaming API (CloudAppEvents/AlertEvidence/AlertInfo) | Graph Security Alerts API (v2) |
27+
|---------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------|
28+
| `start` | Activity or alert timestamp | `Timestamp` | `firstActivityDateTime` |
29+
| `end` | Activity or alert timestamp | None | `lastActivityDateTime` |
30+
| `rt` | Activity or alert timestamp | `createdDateTime` | `createdDateTime` / `lastUpdateDateTime` / `resolvedDateTime` |
31+
| `msg` | Alert or activity description as shown in the portal in a human readable format | The closest structured fields that contribute to a similar description: `actorDisplayName`, `ObjectName`, `ActionType`, `ActivityType` | `description` |
32+
| `suser` | Activity or alert subject user | `AccountObjectId`, `AccountId`, `AccountDisplayName` | See `userEvidence` resource type |
33+
| `destinationServiceName` | Activity or alert from the originating app (for example, SharePoint, Box) | `CloudAppEvents > Application` | See `cloudApplicationEvidence` resource type |
34+
| `cs<X>Label`, `cs<X>` | Alert or activity dynamic fields (for example, target user, object) | `Entities`, `Evidence`, `additionalData`, `ActivityObjects` | Various `alertEvidence` resource types |
35+
| `EVENT_CATEGORY_*` | High-level activity category | `ActivityType` / `ActionType` | `category` |
36+
| `<name>` | Matched policy name | `Title`, `alertPolicyId` | `Title`, `alertPolicyId` |
37+
| `<ACTION>` (Activities) | Specific activity type | `ActionType` | N/A |
38+
| `externalId` (Activities) | Event ID | `ReportId` | N/A |
39+
| `requestClientApplication` (activities)| User agent of the client device in activities | `UserAgent` | N/A |
40+
| `Dvc` (activities) | Client device IP | `IPAddress` | N/A |
41+
| `externalId` (Alert) | Alert ID | `AlertId` | `id` |
42+
| `<alert type>` | Alert type (for example, ALERT_CABINET_EVENT_MATCH_AUDI) | - | - |
43+
| `Src` / `c6a1` (alerts) | Source IP | `IPAddress` | `ipEvidence` resource type |
44+
45+
46+
## Related content
47+
48+
- [Generic SIEM integration](siem.md)
49+
- [Microsoft Sentinel integration (Preview)](siem-sentinel.md)

CloudAppSecurityDocs/release-notes.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,18 @@ For news about earlier releases, see [Archive of past updates for Microsoft Defe
2929

3030
## May 2025
3131

32+
### Changes to Microsoft Defender for Cloud Apps SIEM agent availability
33+
34+
As part of our ongoing convergence process across Microsoft Defender workloads, [Microsoft Defender for Cloud Apps SIEM agents](siem.md) will be deprecated starting November 2025.
35+
36+
To ensure continuity and access to data currently available through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the following supported APIs:
37+
- For alerts and activities, see: [Microsoft Defender XDR Streaming API](/defender-xdr/streaming-api).
38+
- For Microsoft Entra ID Protection logon events, see [IdentityLogonEvents](/defender-xdr/advanced-hunting-identitylogonevents-table) table in the advanced hunting schema.
39+
- For Microsoft Graph Security Alerts API, see: [List alerts_v2](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
40+
- To view Microsoft Defender for Cloud Apps alerts data in the Microsoft Defender XDR incidents API, see [Microsoft Defender XDR incidents APIs and the incidents resource type](/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http&preserve-view=true)
41+
42+
For detailed guidance see: [Migrate from Defender for Cloud Apps SIEM agent to supported APIs](migrate-to-supported-api-solutions.md)
43+
3244
### New and improved Cloud App Catalog page
3345

3446
The Cloud app catalog page has been revamped to meet security standards. The new design includes improved navigation, making it easier for you to discover and manage your cloud applications.

CloudAppSecurityDocs/toc.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,8 @@ items:
315315
- name: Governing connected apps
316316
href: governance-actions.md
317317
displayName: governance actions
318+
- name: Integrate with SIEM and API solutions
319+
items:
318320
- name: Manage events with SIEM solutions
319321
items:
320322
- name: Integrate with Microsoft Sentinel
@@ -323,6 +325,10 @@ items:
323325
href: siem.md
324326
- name: Troubleshooting SIEM solutions
325327
href: troubleshooting-siem.md
328+
- name: Migration guides
329+
items:
330+
- name: Migrate from SIEM agents to supported API solutions
331+
href: migrate-to-supported-api-solutions.md
326332
- name: Customize alert automation with Power Automate
327333
items:
328334
- name: Customize alert automation with Power Automate

0 commit comments

Comments
 (0)