SIEM integration with Microsoft Defender for Office 365
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the Office 365 Activity Management API.
SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports.
- To see an example of SIEM integration with Microsoft Defender for Office 365, see Tech Community blog: Improve the Effectiveness of your SOC with Defender for Office 365 and the O365 Management API.
- To learn more about the Office 365 Management APIs, see Office 365 Management APIs overview.
How SIEM integration works
The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 and Microsoft Entra activity logs. If your organization has Microsoft Defender for Office 365 Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.
Recently, events from automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.
The SIEM server or other similar system polls the audit.general workload to access detection events. To learn more, see Get started with Office 365 Management APIs.
Enum: AuditLogRecordType - Type: Edm.Int32
The following table summarizes the values of AuditLogRecordType that are relevant for Microsoft Defender for Office 365 events:
|28||ThreatIntelligence||Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.|
|41||ThreatIntelligenceUrl||Safe Links time-of-block and block override events from Microsoft Defender for Office 365.|
|47||ThreatIntelligenceAtpContent||Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.|
|64||AirInvestigation||Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.|
You must have either the global administrator or Security Administrator role assigned in the Microsoft Defender portal to set up SIEM integration with Microsoft Defender for Office 365. For more information, see Permissions in the Microsoft Defender portal.
Audit logging must be turned on for your Microsoft 365 environment (it's on by default). To verify that audit logging is turned on or to turn it on, see Turn auditing on or off.