SIEM integration with Microsoft Defender for Office 365

Applies to

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the Office 365 Activity Management API.

SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports.

How SIEM integration works

The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 and Azure Active Directory activity logs. If your organization has Microsoft Defender for Office 365 Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.

Recently, events from automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.

The SIEM server or other similar system polls the audit.general workload to access detection events. To learn more, see Get started with Office 365 Management APIs.

Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordType

The following table summarizes the values of AuditLogRecordType that are relevant for Microsoft Defender for Office 365 events:

Value Member name Description
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
41 ThreatIntelligenceUrl Safe Links time-of-block and block override events from Microsoft Defender for Office 365.
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.
64 AirInvestigation Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.

Important

You must be a global administrator or have the security administrator role assigned for the Security & Compliance Center to set up SIEM integration with Microsoft Defender for Office 365.

Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see Turn audit log search on or off.

See also

Office 365 threat investigation and response

Automated investigation and response (AIR) in Office 365