Microsoft Exchange Security for Exchange On-Premises

Solution: Microsoft Exchange Security - Exchange On-Premises

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	Community
Support Tier	Community
Support Link	https://github.com/Azure/Azure-Sentinel/issues
Categories	domains
Version	3.3.2
Author	Microsoft - support@microsoft.com
First Published	2022-12-21
Solution Folder	Microsoft Exchange Security - Exchange On-Premises
Marketplace	Azure Marketplace · Popularity: 🟢 High (81%)

The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Windows Event logs collection, including MS Exchange Management Event logs

b. Custom logs ingestion via Data Collector REST API

Contents

• Data Connectors
• Tables Used
• Content Items
• Additional Documentation

Data Connectors

This solution provides 8 data connector(s):

• [Deprecated] Microsoft Exchange Logs and Events 🔶
• Exchange Security Insights On-Premises Collector 🔶
• Microsoft Exchange Admin Audit Logs by Event Logs
• Microsoft Exchange Logs and Events
• Microsoft Active-Directory Domain Controllers Security Event Logs
• IIS Logs of Microsoft Exchange Servers
• Microsoft Exchange Message Tracking Logs 🔶
• Microsoft Exchange HTTP Proxy Logs 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 6 table(s):

Table	Used By Connectors	Used By Content
ESIExchangeConfig_CL 🔶	Exchange Security Insights On-Premises Collector	Workbooks
Event	Microsoft Exchange Admin Audit Logs by Event Logs, Microsoft Exchange Logs and Events, [Deprecated] Microsoft Exchange Logs and Events	Analytics, Workbooks
ExchangeHttpProxy_CL 🔶	Microsoft Exchange HTTP Proxy Logs, [Deprecated] Microsoft Exchange Logs and Events	-
MessageTrackingLog_CL 🔶	Microsoft Exchange Message Tracking Logs, [Deprecated] Microsoft Exchange Logs and Events	-
SecurityEvent	Microsoft Active-Directory Domain Controllers Security Event Logs, [Deprecated] Microsoft Exchange Logs and Events	Workbooks
W3CIISLog	IIS Logs of Microsoft Exchange Servers, [Deprecated] Microsoft Exchange Logs and Events	Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 13 content item(s):

Content Type	Count
Parsers	5
Workbooks	4
Analytic Rules	2
Watchlists	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Server Oriented Cmdlet And User Oriented Cmdlet used	High	Exfiltration, Persistence, Collection	Event
VIP Mailbox manipulation	Medium	Exfiltration, Persistence, Collection	Event

Workbooks

Name	Tables Used
Microsoft Exchange Admin Activity	Event SecurityEvent W3CIISLog
Microsoft Exchange Least Privilege with RBAC	ESIExchangeConfig_CL
Microsoft Exchange Search AdminAuditLog	Event
Microsoft Exchange Security Review	ESIExchangeConfig_CL

Parsers

Name	Description	Tables Used
ExchangeAdminAuditLogs	-	Event (read)
ExchangeConfiguration	The list of section to query. Default is all.	-
ExchangeEnvironmentList	The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises...	-
MESCheckVIP	The user to verifiy if is a VIP or not. Default value is "all".	-
MESCompareDataOnPMRA	The Section to compare. Default value is "".	ESIExchangeConfig_CL (read)

Watchlists

Name	Description	Tables Used
ExchangeServicesMonitoring	-	-
ExchangeVIP	-	-

Additional Documentation

📄 Source: Microsoft Exchange Security - Exchange On-Premises/README.md

Overview

We have published Public Contents for the Microsoft Exchange Security Sentinel Solution. The contents can be found here:

• General Documentation & Artifacts

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.3.2	26-03-2025	Update documentation link to new repository
3.3.0	26-08-2024	Add Compare in Exchange Security Review. Create DataConnectors for Azure Monitor Agent. Correct bugs
3.2.0	09-04-2024	Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors
3.1.5	26-04-2024	Fix Typpo in DataConnector
		Repackaged for fix on parser in maintemplate to have old parsername and parentid
3.1.4	18-04-2024	Repackaged for parser issue while redeployment
3.1.3	10-04-2024	Updated DataConnector last Log indicator and IsConnected queries by including Application and System Log Event Types
3.1.2	20-02-2024	Correct DataConnector last Log indicator and IsConnected queries
3.1.1	18-12-2023	Update Parsers parameters
3.1.0	01-11-2023	Added Watchlist to track activities on VIPs' Mailboxes. Change ExchangeAuditLog parser to work without watchlist and searching all type of VIP information
3.0.1	13-09-2023	Readme file for Parsers and typo correction
3.0.0	23-08-2023	ExchangeEnvironmentList parser name corrected in Workbooks.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index