Microsoft Exchange Security - Exchange On-Premises - Microsoft Exchange Logs and Events - Step 2 Option 1 connector is configured for firewall logs instead of Event logs #8872

[javbux]

Describe the bug
This issue reported under #8872 still exists

To Reproduce
Perfectly described in #8872

Expected behavior
#8872

Screenshots
#8872

Desktop (please complete the following information):
#8872

Additional context
The original issue is around creating the DCR which means we are using Azure Monitor Agent

The comments from v-sudkharat are incorrect as this is based on the MMA.

Can this be re-looked at please as I have this issue and a few more in relation to the
Microsoft Exchange Logs and Events data connector

[github-actions]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[v-sudkharat]

Hi @javbux, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 11-10-2023. Thanks!

[v-sudkharat]

Hi @javbux, could you please explain the exact issue you are facing with detail explanation and if possible, please provide the screenshots. Thanks!

[javbux]

Hi @v-sudkharat, the issue is exactly as reported in #8872
the screenshots and issue are in #8872 thats why I have not repeated.

[v-sudkharat]

Hi @javbux, thank you for response, we are investigating this issue, and we will share you update by 17-10-2023. Thanks!

[v-sudkharat]

Hi @javbux, we are reached out to the concerned team for this issue, once we receive an update on this, we will update you. Thanks!

[v-sudkharat]

Hi @javbux, we connected the respective data connector team for this issue, they are working on this issue, but there is no ETA.
Meanwhile, you can refer below document and steps to configure the DCR (Azure Monitor Agent) for pull the windows logs.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent?tabs=portal

1. Create DCR:
   

2. Add your resources:
   

3. Select Data Source Type to Windows Events Logs
   

4. Select the event logs
   

5. Add data source
   
   

6. Create the rule.
   

We hope these steps help you. Thanks!

[v-sudkharat]

Hi @javbux, hope you are doing well, could you please have a look at above comment? and share feedback with us. Thanks!

[v-sudkharat]

Hi @javbux, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 01-11-2023 date, we will be closing this issue.
Thanks!

[javbux]

Hi @v-sudkharat
Apologies I have been on leave, let me try this week and get back to you.

[v-sudkharat]

Hi @javbux, Thank you for your response. Please check and share the feedback with us.
Thanks!

[javbux]

Hi @v-sudkharat, thanks for your guide.
On review I am already collecting the application and system logs with a DCR.

What I would like is the MSExchange Management logs which would be collected via the data connector which doesn't work currently

https://github.com/nlepagnez/ESI-PublicContent/blob/main/README.md#option-1---exchange-admin-audits

Do you have the necessary steps that would need to be performed so it is collected and entered into the right table?

[v-sudkharat]

Hi @javbux, Thank you for sharing response with us. We are reaching out to the concerned team for this issue, once we receive an update on this, we will update you by 09-11-2023. Thanks!

[v-sudkharat]

Hi @javbux, We received the response from concern team, and team has raised the PR with the modifications.
The changes will reflect in upcoming version of solution.
Thanks!