SIEM integration with Advanced Threat Protection

If your organization is using a security incident and event management (SIEM) server, you can integrate Office 365 Advanced Threat Protection with your SIEM server. SIEM integration enables you to view information, such as malware or phish detected by Office 365 Advanced Protection, in your SIEM server reports. To set up SIEM integration, you use the Office 365 Activity Management API.

The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 for business and Azure Active Directory activity logs. The Office 365 Advanced Threat Protection schema works with Advanced Threat Protection, so if your organization has the Office 365 Advanced Threat Protection Plan 1 or Plan 2 or Office 365 E5, you can still use that same API for your SIEM server integration.

As part of our recent updates, we have also added events from automated investigation and response capabilities in Office 365 ATP Plan 2 within the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, it also contains high-level information about investigation actions and entities.

The SIEM server or other similar system should poll the audit.general workload to access detection events. To learn more see Get started with Office 365 Management APIs. In addition, the following values of AuditLogRecordType are relevant for Office 365 ATP events:

Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordType

Value Member name Description
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Office 365 Advanced Threat Protection.
41 ThreatIntelligenceUrl ATP Safe Links time-of-block and block override events from Office 365 Advanced Threat Protection.
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams from Office 365 Advanced Threat Protection.
64 AirInvestigation Automated investigation and response events, such as investigation details and relevant artifacts from Office 365 Advanced Threat Protection Plan 2.

Important

You must be a global administrator or have the security administrator role assigned for the Security & Compliance Center to set up SIEM integration with Office 365 Advanced Threat Protection.
Audit logging must be turned on for your Microsoft 365 environment. To get help with this, see Turn audit log search on or off.

Office 365 threat investigation and response

Automated investigation and response (AIR) in Office 365

Office 365 Advanced Threat Protection

Smart reports and insights in the Security & Compliance Center

Permissions in the Security & Compliance Center