SIEM server integration with Microsoft 365 services and applications
If your organization is using a Security Information and Event Management (SIEM) server, or if you are planning to get a SIEM server soon, you might be wondering how that'll integrate with your Microsoft 365, including Office 365 Enterprise. Whether you need a SIEM server depends on many factors, such as your organization's security requirements. Microsoft 365 offers a variety of security features; however, if your organization has content and applications on premises and in the cloud (as in the case of a hybrid cloud deployment), you might consider adding a SIEM server for extra protection. Or, if your organization has particularly stringent security requirements you must meet, you might consider adding a SIEM server to your environment.
SIEM server integration Microsoft 365
A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications along with SIEM server inputs and where to go to learn more about SIEM server integration.
|Microsoft 365 Service or Application||SIEM server inputs||Resources to learn more|
|Office 365 Advanced Threat Protection
Office 365 Threat Intelligence
|Audit logs||SIEM integration with Office 365 Advanced Threat Protection|
|Microsoft Cloud App Security||Log integration||SIEM integration with Microsoft Cloud App Security|
|Office 365 Cloud App Security||Log integration||Integrate your SIEM server with Office 365 Cloud App Security|
|Windows Defender Advanced Threat Protection||Log integration||Pull alerts to your SIEM tools|
|Azure Security Center (Threat Protection and Threat Detection)||Alerts||Azure Security data export to SIEM - Pipeline Configuration - Preview|
|Azure Active Directory Identity Protection||Audit logs||Integrate Azure Active Directory audit logs|
|Azure Advanced Threat Analytics||Log integration||ATA SIEM log reference|
Audit logging must be turned on
Make sure audit logging is turned on before you configure SIEM server integration.
For SharePoint Online, OneDrive for Business, and Azure Active Directory, audit logging is turned on in the Security & Compliance Center.
For Exchange Online, audit logging is turned on with Windows PowerShell.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.