SIEM integration with Microsoft Defender for Office 365
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the Office 365 Activity Management API.
SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports.
To see an example of SIEM integration with Microsoft Defender for Office 365, see Tech Community blog: Improve the Effectiveness of your SOC with Defender for Office 365 and the O365 Management API.
To learn more about the Office 365 Management APIs, see Office 365 Management APIs overview.
How SIEM integration works
The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 and Azure Active Directory activity logs. If your organization has Microsoft Defender for Office 365 Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.
Recently, events from automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.
The SIEM server or other similar system polls the audit.general workload to access detection events. To learn more, see Get started with Office 365 Management APIs.
Enum: AuditLogRecordType - Type: Edm.Int32
The following table summarizes the values of AuditLogRecordType that are relevant for Microsoft Defender for Office 365 events:
|28||ThreatIntelligence||Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.|
|41||ThreatIntelligenceUrl||Safe Links time-of-block and block override events from Microsoft Defender for Office 365.|
|47||ThreatIntelligenceAtpContent||Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.|
|64||AirInvestigation||Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.|
You must be a global administrator or have the security administrator role assigned for the Security & Compliance Center to set up SIEM integration with Microsoft Defender for Office 365.
Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see Turn audit log search on or off.