Microsoft Exchange Admin Audit Logs by Event Logs connector for Microsoft Sentinel
[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | Event |
| Data collection rules support | Not currently supported |
| Supported by | Community |
Query samples
All Audit logs
Event
| where EventLog == 'MSExchange Management'
| sort by TimeGenerated
Prerequisites
To integrate with Microsoft Exchange Admin Audit Logs by Event Logs make sure you have:
- ****: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
- Detailed documentation: >NOTE: Detailed documentation on Installation procedure and usage can be found here
Vendor installation instructions
Note
This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independent for one from the other. To learn more about each option: 'Microsoft Exchange Security' wiki
This Data Connector is the option 1 of the wiki.
- Download and install the agents needed to collect logs for Microsoft Sentinel
Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.
- [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules
The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : ExchangeAdminAuditLogs
Next steps
For more information, go to the related solution in the Azure Marketplace.