I would like to hear from any users that are currently utilizing LogBinder with their SIEM to collect MS Exchange logs. This is an area where we want more visibility, and efforts to utilize the SIEM by itself haven't yielded the results we desire.
I've accomplished this a few times with Tail function (introduced in 9.6) to grab Message Tracking logs directly from Exchange. You would need to share (cifs) the message tracking folder and give SIEM AD account read permissions. Here is the sample ESM setting.