SIEM integration with Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

If your organization is using a security information and event management (SIEM) server, you can integrate Microsoft Defender for Office 365 with your SIEM server. You can set up this integration by using the Office 365 Activity Management API.

SIEM integration enables you to view information, such as malware or phish detected by Microsoft Defender for Office 365, in your SIEM server reports.

How SIEM integration works

The Office 365 Activity Management API retrieves information about user, admin, system, and policy actions and events from your organization's Microsoft 365 and Microsoft Entra activity logs. If your organization has Microsoft Defender for Office 365 Plan 1 or 2, or Office 365 E5, you can use the Microsoft Defender for Office 365 schema.

Recently, events from automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2 were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.

The SIEM server or other similar system polls the audit.general workload to access detection events. To learn more, see Get started with Office 365 Management APIs.

Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordType

The following table summarizes the values of AuditLogRecordType that are relevant for Microsoft Defender for Office 365 events:

Value Member name Description
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
41 ThreatIntelligenceUrl Safe Links time-of-block and block override events from Microsoft Defender for Office 365.
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint Online, OneDrive for Business, and Microsoft Teams, from Microsoft Defender for Office 365.
64 AirInvestigation Automated investigation and response events, such as investigation details and relevant artifacts, from Microsoft Defender for Office 365 Plan 2.

Important

You must have either the Global Administrator* or Security Administrator role assigned to set up SIEM integration with Microsoft Defender for Office 365. For more information, see Permissions in the Microsoft Defender portal.

*Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Audit logging must be turned on for your Microsoft 365 environment (it's on by default). To verify that audit logging is turned on or to turn it on, see Turn auditing on or off.

See also

Office 365 threat investigation and response

Automated investigation and response (AIR) in Office 365