Thank you for responding!
I did not see MS Exchange in the attachment's list.
Does the SIEM collect Exchange logs via WMI? Agent? Or syslog?
Exchange Mailbox Audit logs are logs with information about non-owner mailbox access. Exchange allows these audit logs to be exported via xml
Has anyone configured their SIEM to collect the Excange Administrator Audit Logs?
We are collecting Exchange Message Tracking logs but it doesn't contain any audit events. I'm not sure if McAfee supports parsing of Exchange Audit logs. Raise a PER with McAfee.
There is an event type that covers MEssage Tracking logs
Rule Name: MS_Exchange Event
Signature ID: 1022135
Normalization Name: Misc Application Event
How are you collecting Exchange Message Tracking logs ? using the Agent ? Any other solution ?
Its weird that Microsoft Exchange is listed in "supported" products without actually supporting Audit logs. Except if you have LOGBinder.
LOGbinder for Exchange will do the job. You can download a fully functional 30 day free trial. If you need more testing time you can just email our support team at firstname.lastname@example.org and they will extend the license for you. The install is quick and easy and I know you'll be happy with the results.