Set Up SIEM Integration

Implementation Effort: Medium – This requires configuration by security administrators and may involve coordination with SIEM/SOAR teams to ensure proper data ingestion and alert mapping.

User Impact: Low – This is a backend integration task; end users are not directly affected.

Overview

Setting up SIEM integration in Microsoft Defender for Cloud enables centralized monitoring and correlation of security alerts across cloud and on-premises environments. Defender for Cloud supports integration with SIEM platforms such as Microsoft Sentinel, Micro Focus ArcSight, and other generic SIEMs using Common Event Format (CEF) or APIs.

There are two main approaches:

• Native integration with Microsoft Sentinel: Offers seamless, scalable ingestion of alerts and incidents from Defender for Cloud and other Microsoft security products 1.
• Generic SIEM integration: Uses a downloadable agent (JAR file) that pulls alerts and activities from Defender for Cloud Apps and streams them into your SIEM 2. Note: This method is being deprecated starting November 2025, and organizations are encouraged to transition to Microsoft Defender XDR Streaming API or Microsoft Graph Security API 2.

This integration supports the Zero Trust principle of "Assume Breach" by enabling continuous monitoring, automated incident response, and correlation of security events across multiple environments.

Reference

• Generic SIEM integration – Microsoft Defender for Cloud Apps
• Stream alerts to monitoring solutions – Microsoft Defender for Cloud
• Microsoft Sentinel integration – Microsoft Defender for Cloud Apps