SIEM integration with Microsoft Defender for Office 365
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the Office 365 Activity Management API.
SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports.
- To see an example of SIEM integration with Microsoft Defender for Office 365, see Tech Community blog: Improve the Effectiveness of your SOC with Defender for Office 365 and the O365 Management API.
- To learn more about the Office 365 Management APIs, see Office 365 Management APIs overview.
How SIEM integration works
The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 and Microsoft Entra activity logs. If your organization has Microsoft Defender for Office 365 Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.
Recently, events from automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.
The SIEM server or other similar system polls the audit.general workload to access detection events. To learn more, see Get started with Office 365 Management APIs.
Enum: AuditLogRecordType - Type: Edm.Int32
AuditLogRecordType
The following table summarizes the values of AuditLogRecordType that are relevant for Microsoft Defender for Office 365 events:
Value | Member name | Description |
---|---|---|
28 | ThreatIntelligence | Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365. |
41 | ThreatIntelligenceUrl | Safe Links time-of-block and block override events from Microsoft Defender for Office 365. |
47 | ThreatIntelligenceAtpContent | Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365. |
64 | AirInvestigation | Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2. |
Important
You must have either the Global Administrator* or Security Administrator role assigned to set up SIEM integration with Microsoft Defender for Office 365. For more information, see Permissions in the Microsoft Defender portal.
*Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Audit logging must be turned on for your Microsoft 365 environment (it's on by default). To verify that audit logging is turned on or to turn it on, see Turn auditing on or off.