Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications


Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.


Is your organization using or planning to get a Security Information and Event Management (SIEM) server? You might be wondering how it integrates with Microsoft 365 or Office 365. This article provides a list of resources you can use to integrate your SIEM server with Microsoft 365 services and applications.


If you don't have a SIEM server yet and are exploring your options, consider Microsoft Sentinel.

Do I need a SIEM server?

Whether you need a SIEM server depends on many factors, such as your organization's security requirements and where your data resides. Microsoft 365 includes a wide variety of security features that meet many organizations' security needs without additional servers, such as a SIEM server. Some organizations have special circumstances that require the use of a SIEM server. Here are some examples:

  • Fabrikam has some content and applications on premises, and some in the cloud (they have a hybrid cloud deployment). To get security reports for all of their content and applications, Fabrikam implemented a SIEM server.
  • Contoso is a financial services organization that has stringent security requirements. They added a SIEM server to their environment to take advantage of the extra security protections they require.

SIEM server integration with Microsoft 365

A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications, along with SIEM server inputs and resources to learn more.

Microsoft 365 Service or Application SIEM server inputs/methods Resources to learn more
Microsoft Defender for Office 365 Audit logs SIEM integration with Microsoft Defender for Office 365
Microsoft Defender for Endpoint HTTPS endpoint hosted in Azure


Pull alerts to your SIEM tools
Microsoft Defender for Cloud Apps Log integration SIEM integration with Microsoft Defender for Cloud Apps


Take a look at Microsoft Sentinel. Microsoft Sentinel comes with connectors for Microsoft solutions. These connectors are available "out of the box" and provide for real-time integration. You can use Microsoft Sentinel with your Microsoft Defender XDR solutions and Microsoft 365 services, including Office 365, Microsoft Entra ID, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and more.

Audit logging must be turned on

Make sure that audit logging is turned on before you configure SIEM server integration:

Integration steps if your SIEM is Microsoft Sentinel

Verify the following requirements:

  • Your current Microsoft 365 subscription (for example, Microsoft Defender for Office 365 Plan 2) allows for Microsoft Sentinel integration.
  • Your account in Microsoft Defender for Office 365 or Microsoft Defender XDR is a Security Administrator.
  • Verify that you have Write permissions in Microsoft Sentinel.
  1. Navigate to Microsoft Sentinel.

  2. On the navigation to the left of the screen Configuration > Data connectors.

  3. Search for Microsoft Defender XDR and select the Microsoft Defender XDR (preview) connector.

  4. On the right of your screen select Open Connector Page.

  5. Under Configuration > select Connect incidents & alerts

    Turn off all Microsoft incident creation rules for the products currently selected.

  6. Scroll to Microsoft Defender for Office 365 in the Connect events section of the page.

    You can choose tables from any other Microsoft Defender product you find helpful and applicable while completing the following final step:

  7. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and EmailPostDeliveryEvents > and Apply Changes.

More resources

Integrate security solutions in Microsoft Defender for Cloud

Integrate Microsoft Graph Security API alerts with a SIEM