Exchange Audit Logs
Retrieves Exchange-related audit events including mailbox and email activity.
Sync Type: Incremental
Requirements
Before setting up the input you need to:
- In Microsoft Purview, turn auditing on
- Register an Active Directory Application
- Supported account types: Accounts in this organization directory only
- Certificates & secrets: Create a new client secret. You will need this to configure the monad source connector
- API Permissions: a) Office 365 Management APIs
- ActivityFeed.Read
- Activity.Feed.ReadDlp
- ServiceHealth.Read
Note: Fetches logs from t-7d on the first sync unless a backfill start time is specified upto 7 days into the past. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time, and would do the same for each sync.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Tenant ID | string | true | The tenant ID of the Azure AD application |
| Use Synthetic Data | string | false | Generate synthetic data for testing, instead of connecting to a real data source. Defaults to an hourly cron schedule for cron-based inputs |
| Backfill Start Time | string | false | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Setting | Type | Required | Description |
|---|---|---|---|
| Client ID | string | true | The client ID of the Azure AD application |
| Client Secret | string | true | The client secret of the Azure AD application |