Use Case: Who's Peeking In Calendars, Mailboxes, Sending Impersonated E-mails or On Behalf Of?

Document created by StevenvandeBraak on Jul 7, 2010
Version 1Show Document
  • View in full screen mode

For one of my customers I created a parser for custom Microsoft Exchange audit logs using the Windows Unified Connector

 

This use case is a very interesing one as it reveals who is looking in each others calendars and mailboxes and/or sending mails on behalf of those persons. The logs here are not the ones from Exchange MTA but from the custom Audit logs that you can create within Exchange. The Unified connector normally just parses the message headers from these logs and doesn't give you any useful information.

 

With Microsoft Exchange it is possible to create custom audit logs an put them into a dedicated  Eventlog Container. Read about it here:

Using the Windows Unified Connector is is possible to read these logs but the important data in the logs is stored in the Windows description field. To extract this data you'll need to write a key parser with conditional mappings for each event (sdkkeyvaluefilereader.properties) while looking up the keys in the generated raw event in Arcsight.

 

This case uses three events from the custom exchange logs:

EventID 10100        : {Mailbox Or Calendar X} Opened By {User Y}
EventID 10104        : {User x} Sent A Message On Behalf Of {User y}
EventID 10106        : {User x} Sent A Message As {User y}

 

The attached txt file has all the info you need to create the parser and has all the raw sample data included.

Acutally you can use the parser by renaming the file to:

exchange_auditing.msexchangeis_auditing.sdkkeyvaluefilereader.properties

 

and put it in the right folder. all info is inside the file

 

Key Parser File name    : ~\user\agent\fcp\windowsfg\windows_2003\exchange_auditing.msexchangeis_auditing.sdkkeyvaluefilereader.properties
For Win2K8        : ~\user\agent\fcp\windowsfg\windows_2008\exchange_auditing.msexchangeis_auditing.sdkkeyvaluefilereader.properties

 

If you do not have the directories windows_2003 or windows_2008, just create it.

 

Cheers,

Steven

Outcomes