Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel
Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ESIExchangeConfig_CL |
| Data collection rules support | Not currently supported |
| Supported by | Community |
Query samples
View how many Configuration entries exist on the table
ESIExchangeConfig_CL
| summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s
Prerequisites
To integrate with Exchange Security Insights On-Premises Collector make sure you have:
- Service Account with Organization Management role: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.
Vendor installation instructions
Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : ExchangeConfiguration and ExchangeEnvironmentList
- Install the ESI Collector Script on a server with Exchange Admin PowerShell console
This is the script that will collect Exchange Information to push content in Microsoft Sentinel.
- Configure the ESI Collector Script
Be sure to be local administrator of the server. In 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector. Fill the Log Analytics (Microsoft Sentinel) Workspace information. Fill the Environment name or leave empty. By default, choose 'Def' as Default analysis. The other choices are for specific usage.
- Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)
The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel. We recommend scheduling the script once a day. The account used to launch the Script needs to be a member of the group Organization Management
Next steps
For more information, go to the related solution in the Azure Marketplace.