search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.48k stars 2.95k forks source link

Microsoft Exchange Logs and Events errors when deploying MessageTrackingLog and ExchangeHttpProxy collectors #10789

Open micholczyk opened 1 month ago

micholczyk commented 1 month ago

Describe the bug When configuring Microsoft Exchange Logs and Events connector steps regarding [Option 6] Message Tracking of Exchange Servers and [Option 7] HTTP Proxy of Exchange Servers manual deployment fail with errors: Update Error - Error occurred while compiling query in query: SemanticError:0x00000006 at 1:43 : Undefined symbol: date-time Update Error - Error occurred while compiling query in query: SemanticError:0x00000006 at 1:43 : Undefined symbol: DateTime

To Reproduce Steps to reproduce the behavior:

  1. Go to Microsoft Sentinel -> Data connectors -> Microsoft Exchange Logs and Events.
  2. Scroll down to Configuration -> 2. Deploy log injestion following choosed options -> [Option 6] Message Tracking of Exchange Servers -> Option 2 - Manual Deployment of Azure Automation and follow the instructions there.
  3. The error happens in step 4. of C. Modify the created DCR, Type Custom log when configuring a Data Source of Custom Text logs type with the provided KQL.
  4. The same applies to [Option 7] HTTP Proxy of Exchange Servers.

Expected behavior The connector should start collecting logs.

Screenshots [Option 6] Message Tracking of Exchange Servers First error shows up after uploading the example file (expected?). image After transformation there is no error. image After performing the steps in C. Modify the created DCR, Type Custom log there is the following error. image After page refresh the Data sources are gone. image

[Option 7] HTTP Proxy of Exchange Servers Again - first error shows up after uploading the example file. Probably expected. image Transformation seems ok. image In step C. Modify the created DCR, Type Custom log same exact error appears. image

Desktop (please complete the following information):

If I'm doing something wrong, or not understanding something correctly, I'd be glad for your advice. :) Thanks!

v-sudkharat commented 1 month ago

Hi @micholczyk, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 25-07-2024. Thanks!

micholczyk commented 1 month ago

Hello, any news on this issue?

v-sudkharat commented 1 month ago

Hi @micholczyk, Sorry for delay in response, we need some more time to investigate this issue from our end. Thanks!

v-sudkharat commented 2 weeks ago

Adding, @v-prasadboke

matt-traynor commented 6 days ago

@v-prasadboke @v-sudkharat are there any updates on this issue please?

saahilverma commented 6 days ago

@v-prasadboke @v-rusraut @v-sudkharat Can we get update on this... Seems like lot of people stuck at transform.

nlepagnez commented 6 days ago

Hi, There was a bug in the way we proposed to implement the DCR manually when the ‘Custom Logs’ DCR was in preview. A Pull Request is in progress #11049