Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications

• Applies to:

  ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365 plan 1 and plan 2, ✅ Microsoft 365 Defender

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Summary

Is your organization using or planning to get a Security Information and Event Management (SIEM) server? You might be wondering how it integrates with Microsoft 365 or Office 365. This article provides a list of resources you can use to integrate your SIEM server with Microsoft 365 services and applications.

Tip

If you don't have a SIEM server yet and are exploring your options, consider Microsoft Sentinel.

Do I need a SIEM server?

Whether you need a SIEM server depends on many factors, such as your organization's security requirements and where your data resides. Microsoft 365 includes a wide variety of security features that meet many organizations' security needs without additional servers, such as a SIEM server. Some organizations have special circumstances that require the use of a SIEM server. Here are some examples:

• Fabrikam has some content and applications on premises, and some in the cloud (they have a hybrid cloud deployment). To get security reports across all their content and applications, Fabrikam has implemented a SIEM server.
• Contoso is a financial services organization that has particularly stringent security requirements. They have added a SIEM server to their environment to take advantage of the extra security protection they require.

SIEM server integration with Microsoft 365

A SIEM server can receive data from a wide variety of Microsoft 365 services and applications. The following table lists several Microsoft 365 services and applications, along with SIEM server inputs and resources to learn more.

Microsoft 365 Service or Application	SIEM server inputs/methods	Resources to learn more
Microsoft Defender for Office 365	Audit logs	SIEM integration with Microsoft Defender for Office 365
Microsoft Defender for Endpoint	HTTPS endpoint hosted in Azure REST API	Pull alerts to your SIEM tools
Microsoft Defender for Cloud Apps	Log integration	SIEM integration with Microsoft Defender for Cloud Apps

Tip

Take a look at Microsoft Sentinel. Microsoft Sentinel comes with connectors for Microsoft solutions. These connectors are available "out of the box" and provide for real-time integration. You can use Microsoft Sentinel with your Microsoft 365 Defender solutions and Microsoft 365 services, including Office 365, Azure AD, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and more.

Audit logging must be turned on

Make sure that audit logging is turned on before you configure SIEM server integration:

• For SharePoint Online, OneDrive for Business, and Azure Active Directory, see Turn auditing on or off.
• For Exchange Online, see Manage mailbox auditing.

Integration steps if your SIEM is Microsoft Sentinel

Be sure that your current plan allows for Microsoft Sentinel integration (for example, you have Microsoft Defender for Office 365 Plan 2 or higher), and that your account in Microsoft Defender for Office 365 or Microsoft 365 Defender is a Security Administrator. Finally, be sure that you have Write permissions in Microsoft Sentinel.

1. Navigate to Microsoft Sentinel.
2. On the navigation to the left of the screen Configuration > Data connectors.
3. Search for Microsoft 365 Defender and select the Microsoft 365 Defender (preview) connector.
4. On the right of your screen select Open Connector Page.
5. Under Configuration > select Connect incidents & alerts
   1. Turn off all Microsoft incident creation rules for the products currently selected.
6. Scroll to Microsoft Defender for Office 365 in the Connect events section of the page.

Note that you can choose tables from any other Microsoft Defender product you find helpful and applicable while completing the final step, (below).

7. Select EmailEvents, EmailUrlInfo, EmailAttachmentInfo, and EmailPostDeliveryEvents > and Apply Changes.

More resources

Integrate security solutions in Microsoft Defender for Cloud

Integrate Microsoft Graph Security API alerts with a SIEM