Integrate communication compliance with SIEM solutions

  • 3 minutes

If your organization uses a security information and event management (SIEM) tool like Microsoft Sentinel or Splunk, you can bring Communication Compliance data into those tools using Microsoft 365 Audit. This integration gives your security and compliance teams a unified view of alerts. It allows you to track inappropriate or risky messages alongside other threat signals in your environment.

How the integration works

When a message matches a communication compliance policy, such as for offensive language or sharing confidential information, the event is recorded in Microsoft 365 Audit. The audit entry includes metadata about the policy, the user, and the content that triggered the match. Your SIEM tool ingests these entries from Microsoft 365 Audit, allowing your security team to query and correlate the activity with other logged events.

For example:

  • A user sends an inappropriate message in Teams.
  • The message matches a Communication Compliance policy.
  • Microsoft 365 Audit logs the match with a SupervisionRuleMatch operation.
  • Your SIEM tool ingests the audit event.
  • Analysts investigate the alert in the SIEM, then return to Communication Compliance to remediate it.

Note

There can be up to a 24-hour delay between when a match is logged in Microsoft 365 Audit and when it's visible in Communication Compliance.

View alerts in Microsoft Sentinel

To surface Communication Compliance matches in Microsoft Sentinel:

  1. Onboard to Microsoft Sentinel and connect Microsoft 365 as a data source.

  2. In the Microsoft Office 365 data connector, make sure Exchange is selected.

  3. Use a Kusto Query Language (KQL) query like this to retrieve matches:

    OfficeActivity
| where OfficeWorkload == "Exchange" and Operation == "SupervisionRuleMatch"
| sort by TimeGenerated

    To filter for a specific user:

    OfficeActivity
| where OfficeWorkload == "Exchange" and Operation == "SupervisionRuleMatch" and UserId == "[email protected]"
| sort by TimeGenerated

View alerts in Splunk

To view Communication Compliance matches in Splunk:

  1. Install the Splunk Add-on for Microsoft Office 365.

  2. Register an app in Microsoft Entra ID to support the integration.

  3. Run a search like:

    index=* sourcetype="o365:management:activity" Workload=Exchange Operation=SupervisionRuleMatch

    To filter by policy name:

    index=* sourcetype="o365:management:activity" Workload=Exchange Operation=SupervisionRuleMatch SRPolicyMatchDetails.SRPolicyName="Inappropriate content"

Use PowerShell or the Management API

If you're integrating with another SIEM or automation system, you can retrieve audit data using PowerShell or the Office 365 Management Activity API.

To filter for Communication Compliance events:

  • Operation: SupervisionRuleMatch

  • RecordType: ComplianceSupervisionExchange

    PowerShell examples:

    Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations SupervisionRuleMatch

    Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -RecordType ComplianceSupervisionExchange