Share via

On-Prem Microsoft 365 integration Sentinel

Dogukan Ucer 0 Reputation points
2025-05-06T12:28:14.3833333+00:00

Hello Guys,

I am new to microsoft security worlds so i dont know how can i integrated Microsoft Exchange 365 on-prem server and Azure Sentilen can you help me pls. I have demo environments . Should I deployed AMA agent inside to server to send logs my Sentinel ? or how can i do that do you have any documentations or experience can you share with me pls? and what should i config or limitations to get logs that be usefull to analyze.

-Thanks so much right now

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,274 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sakshi Devkante 3,985 Reputation points Microsoft External Staff Moderator
    2025-05-06T14:44:24.4633333+00:00

    Hello Dogukan Ucer

    Based on your description seems like your goal is to forward relevant logs from your Exchange on-premises servers to Microsoft Sentinel for centralized monitoring, detection, and analysis of potential threats within your messaging infrastructure.
    The approach and requirements for integrating your Microsoft Exchange Server (On-Premises) environment with Microsoft Sentinel.

    Since Microsoft Exchange on-premises does not have a native Sentinel data connector, we recommend leveraging the Azure Monitor Agent (AMA) to collect and forward critical logs to your Sentinel workspace via a Log Analytics Workspace.
    Exchange-security-insights-on-premises-collector
    Microsoft-exchange-logs-and-events
    Microsoft-exchange-message-tracking-logs

    Deploy Azure Monitor Agent (AMA): Azure-monitor-agent-overview
    A Log Analytics workspace connected to Sentinel.
    Network access from your on-prem Exchange servers to Azure (HTTPS: 443).
    A demo VM with Exchange installed is fine for this setup.

    Download the AMA agent directly on your Exchange Server(s)
    Azure-monitor-agent-manage
    Revolutionizing log collection with Azure Monitor Agent

    Use Azure Arc if your server isn’t already in Azure. https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview

    After installation, configure the Data Collection Rule (DCR) to forward logs (to specify which logs to collect) data-collection-rule-overview

    • Logs You Should Collect
      1.Windows Event Logs:

    Security logs (login attempts – Event ID 4624, 4625)

    Application & System logs (Exchange service issues)

    2.IIS Logs (for services like OWA, EWS)

    Logs typically located at: C:\inetpub\logs\LogFiles

    3.Message Tracking Logs message-tracking

    Located at: C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

    Requires custom ingestion (e.g., via script or scheduled task)

    4.Mailbox Audit Logs Mailbox-audit-logs Must be enabled for each mailbox

    -Once logs arrive in Sentinel

    Use built-in Exchange detection rules (for Exchange Online, mainly).

    Create custom KQL queries for patterns in your on-prem logs.
    https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules?tabs=defender-portal

    Best Practices and Considerations:
    Best practices for partners integrating with Microsoft Sentinel
    Connect Microsoft Sentinel to other Microsoft services

    I hope this clarifies things.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.