Exchange Security Insights Online Collector (using Azure Functions) connector for Microsoft Sentinel
Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ESIExchangeOnlineConfig_CL |
| Data collection rules support | Not currently supported |
| Supported by | Community |
Query samples
View how many Configuration entries exist on the table
ESIExchangeOnlineConfig_CL
| summarize by GenerationInstanceID_g, EntryDate_s, ESIEnvironment_s
Prerequisites
To integrate with Exchange Security Insights Online Collector (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- microsoft.automation/automationaccounts permissions: Read and write permissions to Azure Automation Account to create a it with a Runbook is required. See the documentation to learn more about Automation Account.
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : ExchangeConfiguration and ExchangeEnvironmentList
STEP 1 - Parsers deployment
Note
This connector uses Azure Automation to connect to 'Exchange Online' to pull its Security analysis into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Automation pricing page for details.
STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Automation
IMPORTANT: Before deploying the 'ESI Exchange Online Security Configuration' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Exchange Online tenant name (contoso.onmicrosoft.com), readily available.
Option 1 - Azure Resource Manager (ARM) Template
Use this method for automated deployment of the 'ESI Exchange Online Security Configuration' connector.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group and Location.
Enter the Workspace ID, Workspace Key, Tenant Name, 'and/or Other required fields'.
- Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.
Option 2 - Manual Deployment of Azure Automation
Use the following step-by-step instructions to deploy the 'ESI Exchange Online Security Configuration' connector manually with Azure Automation.
STEP 3 - Assign Microsoft Graph Permission and Exchange Online Permission to Managed Identity Account
To be able to collect Exchange Online information and to be able to retrieve User information and memberlist of admin groups, the automation account need multiple permission.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for