Thank you for responding!
I did not see MS Exchange in the attachment's list.
Does the SIEM collect Exchange logs via WMI? Agent? Or syslog?
Exchange Mailbox Audit logs are logs with information about non-owner mailbox access. Exchange allows these audit logs to be exported via xml
Has anyone configured their SIEM to collect the Excange Administrator Audit Logs?
I am not pretty sure but I think you can use the data collector in this case.
We are collecting Exchange Message Tracking logs but it doesn't contain any audit events. I'm not sure if McAfee supports parsing of Exchange Audit logs. Raise a PER with McAfee.
There is an event type that covers MEssage Tracking logs
Rule Name: MS_Exchange Event
Signature ID: 1022135
Normalization Name: Misc Application Event
How are you collecting Exchange Message Tracking logs ? using the Agent ? Any other solution ?
Its weird that Microsoft Exchange is listed in "supported" products without actually supporting Audit logs. Except if you have LOGBinder.
Any update on this one?
I am sure, there are a few PERs open on this matter, has anyone got any feedback so far?
I have not received an update on this. I do not see the sig ID that is mentioned above in our environment.
LOGbinder for Exchange will do the job. You can download a fully functional 30 day free trial. If you need more testing time you can just email our support team at firstname.lastname@example.org and they will extend the license for you. The install is quick and easy and I know you'll be happy with the results.