SIEM server integration with Microsoft 365 services and applications
If your organization is using a Security Information and Event Management (SIEM) server, or if you are planning to get a SIEM server soon, you might be wondering how that'll integrate with your Microsoft 365, including Office 365 E5. Whether you need a SIEM server depends on many factors, such as your organization's security requirements. Microsoft 365 offers a variety of security features; however, if your organization has content and applications on premises and in the cloud (as in the case of a hybrid cloud deployment), you might consider adding a SIEM server for extra protection. Or, if your organization has particularly stringent security requirements you must meet, you might consider adding a SIEM server to your environment.
SIEM server integration Microsoft 365
A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications along with SIEM server inputs and where to go to learn more about SIEM server integration.
|Microsoft 365 Service or Application||SIEM server inputs||Resources to learn more|
|Office 365 Advanced Threat Protection
Office 365 Threat Intelligence
|Audit logs||SIEM integration with Office 365 Advanced Threat Protection|
|Microsoft Cloud App Security||Log integration||SIEM integration with Microsoft Cloud App Security|
|Microsoft Threat Protection||Log integration||Pull alerts to your SIEM tools|
|Azure Security Center (Threat Protection and Threat Detection)||Alerts||Azure Security data export to SIEM - Pipeline Configuration - Preview|
|Azure Advanced Threat Analytics||Azure Monitor||(Blog) Use Azure Monitor to integrate with SIEM tools|
|Azure Active Directory Identity Protection||Log integration||Integrate Microsoft Graph Security API alerts with a SIEM|
Audit logging must be turned on
Make sure audit logging is turned on before you configure SIEM server integration.
For SharePoint Online, OneDrive for Business, and Azure Active Directory, audit logging is turned on in the Security & Compliance Center.
For Exchange Online, audit logging is turned on with Windows PowerShell.