Microsoft Defender ATP Setup

Just curious if anyone has been able to get the Microsoft Defender ATP Event Source setup since the ‘SIEM Integration’ changed on the MCAS side? I have had this setup for about a year and back in November-December, MCAS changed how they do SIEM Integration and API tokens. It appears that we now need to do an ‘API Token’ so that IDR can ‘Pull’ the events from MCAS. If you try to use the actual ‘SIEM Agent Integration’ now, it requires an ‘IP’ and ‘Port’ for the the system that is receiving these logs; instead of IDR pulling them.

I tried using the API token (since it is the closest to what is already configured) but that does not seem to work.

Any help would be greatly beneficial.

Thank you

Hi Tony,

could you open a support ticket so we can investigate this with you over a screen share session?

David Smith
Rapid7