6.9 Configuring Microsoft Exchange Monitoring

Change Guardian monitors the following in Microsoft Exchange:

Exchange Settings
Mailbox Accounts
Mailbox Messages
Management Role Groups

This section provides the following information:

The following diagram illustrates how Change Guardian collects events from Exchange server:

Figure 6-3 Microsoft Exchange Monitoring using Change Guardian

The deployment diagram illustrates the following:

Change Guardian Event Collector Addon for Windows Agent acts as the interface between Microsoft Exchange and Change Guardian. Change Guardian Event Collector Addon for Windows Agent pulls change event data from Exchange and stores the event details in a CEF log file.
Change Guardian Agent for Windows reads from the CEF log file and sends the event details to the Change Guardian server.

6.9.1 Implementation Checklist

Complete the following the tasks to start monitoring Microsoft Exchange events:

Task	See
Complete the prerequisites	Prerequisites
Add the license key	Adding License for Applications
Configure Change Guardian for monitoring	Enabling Exchange Monitoring Categories of Change Guardian Policies for Microsoft Exchange Assigning Policies and Policy Sets
Triage events	Section 8.0, Configuring Events Section 9.0, Configuring Alerts

6.9.2 Prerequisites

Complete the following tasks in the same order:

IMPORTANT:Install Change Guardian Event Collector Addon for Windows Agent and Change Guardian Agent for Windows on the same machine as Microsoft Exchange server.

6.9.3 Configuring Change Guardian for Monitoring

You must configure the Change Guardian server to receive Exchange event logs from Change Guardian Event Collector Addon for Windows Agent.

Enabling Exchange Monitoring

Ensure that you have added Exchange assets in Agent Manager.

To enable monitoring:

In Agent Manager, select the asset and click Manage Installations > Install Agents.

Or

In Agent Manager, select the asset and click Manage Installations > Reconfigure Agents.
In the Reconfigure Agent page, select Enable Collector Plugin under Edit Agent Configuration.
Specify the location to store CEF events in CEF Data Output Path.

NOTE:Ensure that the value in CEF Data Output Path matches the CEF data path you specify during Change Guardian Event Collector Addon for Windows Agent installation. You can get the CEF data path from the ceffolder parameter in <installation_directory>\current\user\agent\agent.properties.

Adding Exchange Mailbox Alias

To receive mailbox events, add the Exchange mailbox alias in Change Guardian Event Collector Addon for Windows Agent.

To add:

Launch Change Guardian Event Collector Addon for Windows Agent.
Under Select the collector to configure, click Modify next to Exchange.
Click Next.
On What would you like to do? screen, click Modify Connector > Next.
On What would you like to do with the connector? screen, click Modify connector parameters > Next.
On Modify table parameters screen, add the alias name as a new row.
On Would you like to continue or exit? screen, click Exit.
Open Windows Services and restart the ArcSight Microsoft Exchange PowerShell service.

6.9.4 Categories of Change Guardian Policies for Microsoft Exchange

Exchange Settings: Policies about creating and deleting configuration settings

Mailbox Accounts: Policies about creating, deleting and moving of mailbox accounts, and enabling and disabling mailbox accounts

Mailbox Messages: Policies about sending, moving, deleting messages, and so on

Management Role Groups: Policies about adding, deleting, and modifying role group, adding and removing group member, and so on

For information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Assigning Policies and Policy Sets.

NOTE:While creating mailbox policies, you do not have to configure LDAP settings to browse the Exchange server mailboxes.