A few things that come to mind that I have monitored for in the past:
- Someone opening another user's mailbox (can also track public folders)
- Someone using "send as" or delegated rights to reply to an email
- Any virus activity that was detected that plugs into Exchange's APIs for that kind of stuff
- Failed logons in general
- Failed attempts to open another user's mailbox
- Unexpected activity on the Exchange server, including:
- Any of the Exchange services stopping (ESPECIALLY the Message Store) or causing errors
- Someone logging on directly to the Exchange server, successful or failed
- Shutdown/reboots of the server
- Disk space problems or other disk errors
- If you're using performance counters, thresholds for very low available memory can be useful
I'd start with a filter that just shows Exchange server activity (i.e. "Any Alert.InsertionIP = *exchange server name*") to give you the high level overview of what's going on. Some of the events will come from the regular Windows event logs, some will come from the Exchange-specific stuff. If you want to look for only one or the other, you can use ToolAlias as a shortcut to narrow to just that tool (i.e. "AnyAlert.ToolAlias = "*exchange*" or whatever it's called). You might have to start filtering OUT things you don't want to see - toggle the outer filter group to an AND and start adding stuff like "AnyAlert.ProviderSID /= (not equal) "Security 560" (to filter out Security 560 events from showing in the filter and clogging it up).
If it would help to give specific alerts and examples, I can do a little more digging. I saw most of this stuff pretty regularly through the course of the day, but if it's bogged down by noise in your Console it might be easier to start with a little more info.