Re: Exchange logs to Chronicle SIEM

Aravind3 · 07-25-2024 07:40 AM

Hello All,

Could anyone please let me know what is the best way to ingest O365 mail logs (MS Exchange) to Chronicle, if we don't have an exchange server in place?

Thanks in advance.

Aravind Sreekumar

jstoner

If you are looking for the audit logs associated with O365, the following set of blogs may be helpful as it walks through creating an entra id app and shared secret, assigning permissions for o365 and setting up a feed into Google SecOps. If you are looking for mail logs, ie Message trace, that is a different process and if you are looking for the gory details of the mail, I'm not certain if you can get that without having an MTA and an exchange server itself. Hopefully this helps get you going in the right direction.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and...

Aravind3

Thanks a bunch @jstoner

Aravind3

@jstoner ,
This worked. I wanted to check is it possible to ingest all the mail logs to Chronicle?

Thanks in advance.
Aravind Sreekumar

jstoner

Aside from what Office 365 provides with Exchange Audit, the only other option that is native Microsoft would be the Message Trace (OFFICE_365_MESSAGETRACE) which provides sender, receiver, subject and some other metrics around attachment size and the like. I have not looked at it in a bit and is more for IT use cases but could have some applicability to security use cases as another piece of telemetry.

To really get at the mail logs beyond that I believe you would have to control an Exchange server/MTA to get to that level of logging. Below are links to the Exchange Online service description and monitoring and my quick read of them does not indicate other logs readily available around exchange, but there may be something there beyond what I'm familiar with.

https://learn.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/...

https://learn.microsoft.com/en-us/exchange/monitoring/monitoring

Aravind3

Hi @jstoner,

Can we utilise the log type "Microsoft Exchange" for collecting mail logs?

Thanks a bunch.

Aravind Sreekumar

Aravind3

@jstoner ,
Also could you please suggest the best way to ingest Defender for O365 logs to chronicle

jstoner

I believe these are decent references to the kinds of things one would be able to access for an Exchange server but I have not done it myself. It does leverage Syslog based on the parser list and again this is based on you owning the Exchange system, not O365.

https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/protocol-logging?view=exchserver-201...

https://learn.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver...

Aravind3

Got it,
I was checking whether we can use a webhook transfer or could use any storges for pulling this data to the log type "Microsoft Exchange"