search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.5k stars 2.95k forks source link

Instructions for Exchange Admin Audit Log Events Data Connector has incorrect log names (Exchange On-Premises Solution) #10960

Open leighcurranTW opened 1 month ago

leighcurranTW commented 1 month ago

The data connector for the Exchange Admin and Audit Log Events uses 'MS Exchange Management' as the log name when it should be 'MSExchange Management'. For example: Click Add Windows event log and enter MS Exchange Management as log name.

To reproduce the issue, install the Exchange On-Premises solution and try to configure:

[Option 1] MS Exchange Management Log collection > Data Collection Rules - When the legacy Azure Log Analytics Agent is used > Configure the logs to be collected.

And

[Option 1] MS Exchange Management Log collection > Data Collection Rules - When Azure Monitor Agent is used > Option 2 - Manual Deployment of Azure Automation.

image An example of the event name (Which is used correctly in the parsers etc through the solution already): image image

Line 212 and 232 in ESI-ExchangeAdminAuditLogEvents.json

v-sudkharat commented 3 weeks ago

FYI, @v-prasadboke

nlepagnez commented 3 weeks ago

Hi @v-prasadboke , @v-sudkharat, I confirm that the XPath information is not good. The good value is "MSExchange Management!*" So in connector documentation it has to be "MSExchange Management"

v-prasadboke commented 1 week ago

Got it @nlepagnez, Working on it

nlepagnez commented 1 week ago

Hi @v-prasadboke, the XPath will be corrected in the pull request #11049