Muokkaa

Jaa


Exchange Security Insights On-Premises Collector connector for Microsoft Sentinel

Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ESIExchangeConfig_CL
Data collection rules support Not currently supported
Supported by Community

Query samples

View how many Configuration entries exist on the table

ESIExchangeConfig_CL 
| summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s

Prerequisites

To integrate with Exchange Security Insights On-Premises Collector make sure you have:

  • Service Account with Organization Management role: The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.

Vendor installation instructions

Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)

Note

This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : ExchangeConfiguration and ExchangeEnvironmentList

  1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console

This is the script that will collect Exchange Information to push content in Microsoft Sentinel.

  1. Configure the ESI Collector Script

Be sure to be local administrator of the server. In 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector. Fill the Log Analytics (Microsoft Sentinel) Workspace information. Fill the Environment name or leave empty. By default, choose 'Def' as Default analysis. The other choices are for specific usage.

  1. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)

The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel. We recommend scheduling the script once a day. The account used to launch the Script needs to be a member of the group Organization Management

Next steps

For more information, go to the related solution in the Azure Marketplace.