SIEM integration with Office 365 Advanced Threat Protection
If your organization is using a security incident and event management (SIEM) server, you can integrate Office 365 Advanced Threat Protection with your SIEM server. SIEM integration enables you to view information, such as malware or phish detected by Office 365 Advanced Protection, in your SIEM server reports. To set up SIEM integration, you use the Office 365 Activity Management API.
The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Office 365 and Azure Active Directory activity logs. The Office 365 Advanced Threat Protection schema works with Advanced Threat Protection, so if your organization has the Office 365 Advanced Threat Protection Plan 1 or Plan 2 or Office 365 E5, you can still use that same API for your SIEM server integration.
The SIEM server or other similar system should poll the audit.general workload to access detection events. To learn more see Get started with Office 365 Management APIs. In addition, the following values of AuditLogRecordType are relevant for Office 365 ATP events:
Enum: AuditLogRecordType - Type: Edm.Int32
|28||ThreatIntelligence||Phishing and malware events from Exchange Online Protection and Office 365 Advanced Threat Protection.|
|41||ThreatIntelligenceUrl||ATP Safe Links time-of-block and block override events from Office 365 Advanced Threat Protection.|
|47||ThreatIntelligenceAtpContent||Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams from Office 365 Advanced Threat Protection.|
You must be an Office 365 global administrator or have the security administrator role assigned for the Security & Compliance Center to set up SIEM integration with Office 365 Advanced Threat Protection.
Audit logging must be turned on for your Office 365 environment. To get help with this, see Turn Office 365 audit log search on or off.