Microsoft Exchange Logs and Events connector for Microsoft Sentinel
You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Event W3CIISLog MessageTrackingLog_CL ExchangeHttpProxy_CL |
| Data collection rules support | Not currently supported |
| Supported by | Community |
Query samples
All Audit logs
Event
| where EventLog == 'MSExchange Management'
| sort by TimeGenerated
Prerequisites
To integrate with Microsoft Exchange Logs and Events make sure you have:
- ****: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : ExchangeAdminAuditLogs
Note
This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: 'Microsoft Exchange Security' wiki
- Download and install the agents needed to collect logs for Microsoft Sentinel
Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.
- Deploy log injestion following choosed options
Next steps
For more information, go to the related solution in the Azure Marketplace.