SIEM integration with Office 365 Threat Intelligence and Advanced Threat Protection

If your organization is using a security incident and event management (SIEM) server, you can integrate Office 365 Threat Intelligence and Advanced Threat Protection with your SIEM server. SIEM integration enables you to view information, such as malware detected by Office 365 Advanced Protection and Threat Intelligence, in your SIEM server reports. To set up SIEM integration, you use the Office 365 Activity Management API.

The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Office 365 and Azure Active Directory activity logs. The Office 365 Advanced Threat Protection and Threat Intelligence schema works with Threat Intelligence and/or Advanced Threat Protection, so if your organization has Advanced Threat Protection but not Threat Intelligence (or vice versa), you can still use that same API for your SIEM server integration.

The SIEM server or other similar system should poll the audit.general workload to access detection events. To learn more see Get started with Office 365 Management APIs.

Important

You must be an Office 365 global administrator or have the security administrator role assigned in the Security & Compliance Center to set up SIEM integration with Office 365 Threat Intelligence and Advanced Threat Protection.
Audit logging must be turned on for your Office 365 environment. To get help with this, see Turn Office 365 audit log search on or off.

Office 365 Threat Intelligence

Office 365 Advanced Threat Protection

Smart reports and insights in the Office 365 Security & Compliance Center

Permissions in the Office 365 Security & Compliance Center