Modifier

Partager via

Microsoft Exchange Admin Audit Logs by Event Logs connector for Microsoft Sentinel

  • Article

[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Event
Data collection rules support Not currently supported
Supported by Community

Query samples

All Audit logs

Event 
| where EventLog == 'MSExchange Management' 
| sort by TimeGenerated

Prerequisites

To integrate with Microsoft Exchange Admin Audit Logs by Event Logs make sure you have:

  • ****: Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. Learn more
  • Detailed documentation: >NOTE: Detailed documentation on Installation procedure and usage can be found here

Vendor installation instructions

Note

This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independent for one from the other. To learn more about each option: 'Microsoft Exchange Security' wiki

This Data Connector is the option 1 of the wiki.

  1. Download and install the agents needed to collect logs for Microsoft Sentinel

Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.

  1. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules

The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.

Note

This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : ExchangeAdminAuditLogs

Next steps

For more information, go to the related solution in the Azure Marketplace.