Just curious if anyone has been able to get the Microsoft Defender ATP Event Source setup since the ‘SIEM Integration’ changed on the MCAS side? I have had this setup for about a year and back in November-December, MCAS changed how they do SIEM Integration and API tokens. It appears that we now need to do an ‘API Token’ so that IDR can ‘Pull’ the events from MCAS. If you try to use the actual ‘SIEM Agent Integration’ now, it requires an ‘IP’ and ‘Port’ for the the system that is receiving these logs; instead of IDR pulling them.
I tried using the API token (since it is the closest to what is already configured) but that does not seem to work.
Does anyone know if it is also possible to use an existing azure application and add the Alert.Read.All permission to the app? Or do we really need to use the WindowsDefenderATPSiemConnector app. Because I can’t see this app in my environment.
You can then grab the “OAuth 2.0 token endpoint (v1)” URL from the Overview > Endpoints page and you should be all set to register the event source in IDR.