Exchange Security Insights Online Collector (using Azure Functions) connector for Microsoft Sentinel
Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ESIExchangeOnlineConfig_CL |
| Data collection rules support | Not currently supported |
| Supported by | Community |
Query samples
View how many Configuration entries exist on the table
ESIExchangeOnlineConfig_CL
| summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s
Prerequisites
To integrate with Exchange Security Insights Online Collector (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- microsoft.automation/automationaccounts permissions: Read and write permissions to create an Azure Automation with a Runbook is required. See the documentation to learn more about Automation Account.
- Microsoft.Graph permissions: Groups.Read, Users.Read and Auditing.Read permissions are required to retrieve user/group information linked to Exchange Online assignments. See the documentation to learn more.
- Exchange Online permissions: Exchange.ManageAsApp permission and Global Reader or Security Reader Role are needed to retrieve the Exchange Online Security Configuration.See the documentation to learn more.
- (Optional) Log Storage permissions: Storage Blob Data Contributor to a storage account linked to the Automation Account Managed identity or an Application ID is mandatory to store logs.See the documentation to learn more.
Vendor installation instructions
NOTE - UPDATE
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : ExchangeConfiguration and ExchangeEnvironmentList
STEP 1 - Parsers deployment
Note
This connector uses Azure Automation to connect to 'Exchange Online' to pull its Security analysis into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Automation pricing page for details.
STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Automation
IMPORTANT: Before deploying the 'ESI Exchange Online Security Configuration' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Exchange Online tenant name (contoso.onmicrosoft.com), readily available.
Option 1 - Azure Resource Manager (ARM) Template
Use this method for automated deployment of the 'ESI Exchange Online Security Configuration' connector.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group and Location.
Enter the Workspace ID, Workspace Key, Tenant Name, 'and/or Other required fields'.
- Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.
Option 2 - Manual Deployment of Azure Automation
Use the following step-by-step instructions to deploy the 'ESI Exchange Online Security Configuration' connector manually with Azure Automation.
STEP 3 - Assign Microsoft Graph Permission and Exchange Online Permission to Managed Identity Account
To be able to collect Exchange Online information and to be able to retrieve User information and memberlist of admin groups, the automation account need multiple permission.
Next steps
For more information, go to the related solution in the Azure Marketplace.