Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
Summary
Is your organization using or planning to get a Security Information and Event Management (SIEM) server? You might be wondering how it integrates with Microsoft 365 or Office 365. This article provides a list of resources you can use to integrate your SIEM server with Microsoft 365 services and applications.
Tip
If you don't have a SIEM server yet and are exploring your options, consider Microsoft Sentinel.
Do I need a SIEM server?
Whether you need a SIEM server depends on many factors, such as your organization's security requirements and where your data resides. Microsoft 365 includes a wide variety of security features that meet many organizations' security needs without additional servers, such as a SIEM server. Some organizations have special circumstances that require the use of a SIEM server. Here are some examples:
- Fabrikam has some content and applications on premises, and some in the cloud (they have a hybrid cloud deployment). To get security reports for all of their content and applications, Fabrikam implemented a SIEM server.
- Contoso is a financial services organization that has stringent security requirements. They added a SIEM server to their environment to take advantage of the extra security protections they require.
SIEM server integration with Microsoft 365
A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications, along with SIEM server inputs and resources to learn more.
| Microsoft 365 Service or Application | SIEM server inputs/methods | Resources to learn more |
|---|---|---|
| Microsoft Defender for Office 365 | Audit logs | SIEM integration with Microsoft Defender for Office 365 |
| Microsoft Defender for Endpoint | HTTPS endpoint hosted in Azure REST API |
Pull alerts to your SIEM tools |
| Microsoft Defender for Cloud Apps | Log integration | SIEM integration with Microsoft Defender for Cloud Apps |
Tip
Take a look at Microsoft Sentinel. Microsoft Sentinel comes with connectors for Microsoft solutions. These connectors are available "out of the box" and provide for real-time integration. You can use Microsoft Sentinel with your Microsoft Defender XDR solutions and Microsoft 365 services, including Office 365, Microsoft Entra ID, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and more.
Audit logging must be turned on
Make sure that audit logging is turned on before you configure SIEM server integration:
- For SharePoint, OneDrive, and Microsoft Entra ID, see Turn auditing on or off.
- For Exchange Online, see Manage mailbox auditing.
Integration steps if your SIEM is Microsoft Sentinel
Verify the following requirements:
- Your current Microsoft 365 subscription (for example, Microsoft Defender for Office 365 Plan 2) allows for Microsoft Sentinel integration.
- Your account in Microsoft Defender for Office 365 or Microsoft Defender XDR is a Security Administrator.
- Verify that you have Write permissions in Microsoft Sentinel.
Navigate to Microsoft Sentinel.
On the navigation to the left of the screen Configuration > Data connectors.
Search for Microsoft Defender XDR and select the Microsoft Defender XDR (preview) connector.
On the right of your screen select Open Connector Page.
Under Configuration > select Connect incidents & alerts
Turn off all Microsoft incident creation rules for the products currently selected.
Scroll to Microsoft Defender for Office 365 in the Connect events section of the page.
You can choose tables from any other Microsoft Defender product you find helpful and applicable while completing the following final step:
Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and EmailPostDeliveryEvents > and Apply Changes.
More resources
Integrate security solutions in Microsoft Defender for Cloud
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for