Updated December 23, 2025: We have paused rollout of this feature. We will announce via Message center when we are ready to proceed. Thank you for your patience.
As part of our ongoing convergence process for all Microsoft Defender workloads, we willplanned to retire SIEM (Security Information and Event Management) agents from Microsoft Defender for Cloud Apps in startinglate December 2025 (previously mid-November 2025November) and ending early January 2026 (previously late November 2025. 2025). We have puased this release and will communicate via Message center when we are ready to proceed.
We recommend you transition to APIs that support the management of activities and alerts data from multiple workloads.
How this will affect your organization:
Existing Microsoft Defender for Cloud Apps SIEM agents will function as is until the SIEM agents retire, but no new SIEM agents can be configured starting June 19, 2025. Microsoft Sentinel agents will remain supported and can still be added.
Defender for Cloud Apps alerts and activities data currently supported in the SIEM agents are also available in the unified API and SIEM solutions that provide access to alerts and activity data for all Microsoft security products, for cross-workload visibility:
These APIs enhance security monitoring and management and offer additional supported capabilities that utilize data from multiple Microsoft Defender workloads.
What you need to do to prepare:
To ensure continuity and access to the same data available before this retirement through Microsoft Defender for Cloud Apps SIEM agents, we recommend transitioning to the supported unified API and SIEM solutions. We encourage you to begin planning your migration to these solutions to take advantage of their enhanced capabilities.
Learn more: Generic SIEM integration - Microsoft Defender for Cloud Apps | Microsoft Learn