Exchange logs to Chronicle SIEM

If you are looking for the audit logs associated with O365, the following set of blogs may be helpful as it walks through creating an entra id app and shared secret, assigning permissions for o365 and setting up a feed into Google SecOps. If you are looking for mail logs, ie Message trace, that is a different process and if you are looking for the gory details of the mail, I'm not certain if you can get that without having an MTA and an exchange server itself. Hopefully this helps get you going in the right direction.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775297

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775327

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775343

If you are looking for the audit logs associated with O365, the following set of blogs may be helpful as it walks through creating an entra id app and shared secret, assigning permissions for o365 and setting up a feed into Google SecOps. If you are looking for mail logs, ie Message trace, that is a different process and if you are looking for the gory details of the mail, I'm not certain if you can get that without having an MTA and an exchange server itself. Hopefully this helps get you going in the right direction.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775297

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775327

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Integrating-Entra-ID-and-Office-365-Using/ba-p/775343

Aside from what Office 365 provides with Exchange Audit, the only other option that is native Microsoft would be the Message Trace (OFFICE_365_MESSAGETRACE) which provides sender, receiver, subject and some other metrics around attachment size and the like. I have not looked at it in a bit and is more for IT use cases but could have some applicability to security use cases as another piece of telemetry.

To really get at the mail logs beyond that I believe you would have to control an Exchange server/MTA to get to that level of logging. Below are links to the Exchange Online service description and monitoring and my quick read of them does not indicate other logs readily available around exchange, but there may be something there beyond what I'm familiar with.

https://learn.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-service-description

https://learn.microsoft.com/en-us/exchange/monitoring/monitoring

Hi @jstoner,

Can we utilise the log type "Microsoft Exchange" for collecting mail logs?

Thanks a bunch.

Aravind Sreekumar

Hi @jstoner,

Can we utilise the log type "Microsoft Exchange" for collecting mail logs?

Thanks a bunch.

Aravind Sreekumar

I believe these are decent references to the kinds of things one would be able to access for an Exchange server but I have not done it myself. It does leverage Syslog based on the parser list and again this is based on you owning the Exchange system, not O365.

https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/protocol-logging?view=exchserver-2019

https://learn.microsoft.com/en-us/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-2019