Microsoft Exchange Online Integration
Overview
Microsoft Exchange Online provides cloud email and calendaring with comprehensive audit and message trace logging. KYRA MDR collects Exchange Online audit logs via the Office 365 Management API for email security monitoring.
Prerequisites
- A KYRA MDR Collector installed and running
- Microsoft 365 tenant with Exchange Online
- Azure AD application with Office 365 Management API permissions
- Exchange Administrator or Global Administrator role
Configuration
Configure Exchange Online log collection:
- Register an application in Azure AD > App Registrations
- Grant API permissions:
Office 365 Management APIs > ActivityFeed.ReadOffice 365 Management APIs > ActivityFeed.ReadDlp
- Grant admin consent
- Configure the KYRA MDR collector:
sources: - type: exchange-online tenant_id: <tenant-id> client_id: <client-id> client_secret: <client-secret> content_types: - Audit.Exchange - DLP.All poll_interval: 120s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Mailbox Audit | Mailbox access and modification events | Email compromise detection |
| Admin Audit | Exchange admin configuration changes | Policy change monitoring |
| Message Trace | Email routing and delivery events | Phishing, spam analysis |
| DLP | Data loss prevention policy matches | Sensitive data protection |
| Transport Rules | Mail flow rule matches | Email policy enforcement |
| Authentication | Outlook and mobile authentication | Access monitoring |
Troubleshooting
No audit events: Exchange Online audit logging is enabled by default for E3/E5. For E1, enable it manually.
Missing mailbox audit: Mailbox audit logging is on by default since January 2019.
Data latency: Office 365 Management API content may have a delay of 12-24 hours.
Contact kyra@seekerslab.com for support.