check before: 2025-06-18
Product:
Defender, Defender for Cloud Apps, Defender XDR, Entra, Microsoft Graph, Stream
Platform:
Developer, Online, World tenant
Status:
Change type:
Admin impact, Retirement
Links:
Details:
Summary:
Microsoft Defender for Cloud Apps will retire SIEM agents between mid-November 2025 and late November 2025. No new SIEM agents can be configured after June 19, 2025. Transition to APIs for managing activities and alerts data from multiple workloads is recommended. Microsoft Sentinel agents remain supported.
Details:
As part of our ongoing convergence process for all Microsoft Defender workloads, we will retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in starting mid-November 2025 and ending late November 2025. We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-20
updated:
2025-05-20
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft plans to retire SIEM agents for Defender for Cloud Apps by late November 2025, recommending a shift to using APIs for managing activities and alerts data, while Microsoft Sentinel agents will remain supported.
Direct effects for Operations**
Retirement of SIEM agents
Without proper transition planning, organizations may lose access to critical security monitoring capabilities, leading to potential security gaps.
- roles: Security Administrators, IT Operations Managers
- references: https://learn.microsoft.com/defender-cloud-apps/siem
Increased workload on IT staff
Transitioning to new APIs without preparation may overwhelm IT staff, causing delays in incident response and management.
- roles: IT Support Staff, Security Analysts
- references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identitylogonevents-table
User experience degradation
If alerts and activities data are not properly managed during the transition, users may experience delays in security incident responses, affecting their productivity.
- roles: End Users, Helpdesk Support
- references: https://learn.microsoft.com/defender-xdr/api-incident
Compliance risks
Failure to transition to the new API solutions may result in non-compliance with security regulations, leading to potential legal and financial repercussions.
- roles: Compliance Officers, Risk Management Teams
- references: https://learn.microsoft.com/defender-xdr/streaming-api
Loss of historical data access
Without a planned migration, organizations may lose access to historical alerts and activities data, hindering forensic investigations.
- roles: Security Analysts, Incident Response Teams
- references: https://learn.microsoft.com/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http
Configutation Options**
XXXXXXX ... paid membership only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago
