• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 680 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Using LEM to log and report OWA authentication request events

FormerMember
FormerMember

Hello all,

I am attempting to configure LEM to audit and report OWA authentication request events. As at time of posting, I have installed the agent to the Domain Controller and Exchange server where OWA is hosted and enabled the IIS 7.0 connector to collect and send IIS log entries.

LEM is collecting logon events from the DC and WebTrafficAudit events from the IIS log.

What I am trying to distinguish is whether the events received are clearly identifiable to be appliable to OWA authentication requests. Once I am able to do this, I can generate a rule to action an infer alert and report on occurrences of infer alerts between a time period.

It would be desirable to distinguish between logon success and failure events, to help identify potential unauthorised access attempts.

Thanks in advance,

-Garreth

  • FormerMember
    0 FormerMember

    Update: Since posting, I am able to perform an nDepth search to find failed authentication requests to OWA.

    Refine the query with the following conditions:

    WebTrafficAudit.AlertActivityType=HTTP-401 AND WebTrafficAudit.URL=<URL> (e.g. 192.168.0.1/owa/auth.owa)

    nDepth Conditions OWA fail Auth.png

    Specify a time period and run the search.

    I am yet to distinguish auth success events generated by users logging into OWA and not general navigation through OWA. Any help on refining my results to show only these events would be highly appreciated.

    -Garreth

  • FormerMember
    0 FormerMember in reply to FormerMember

    It's been a while since I had to manage OWA so I'm pulling from a part of my memory that might be hazy, so here's the other way I'd approach it.

    There should be actual UserLogon/UserLogoff/UserLogonFailure events generated from authentication to Exchange. Now, there's a possibility that this stuff is hidden in the Exchange audit logs, which are buried in the Exchange database and not the Event Logs, but since we're talking domain credentials I think there might be a couple of other directions to dig in.

    First, look at the UserLogon, UserLogonFailure, and UserLogoff events that are generated ON the Exchange server. Look at the "LogonType" and see if you can tell OWA logins apart from other logins. I want to say there's a handoff between IIS and Exchange that makes them look like IIS logons by that user, but I can't quite remember what it looks like. You'll need to be auditing account logon (and possibly logon) success/failure on the Exchange server to see this.

    UserLogon.InsertionIP = <exchange/OWA server>

    (refine from there - UserLogon.LogonType, etc)

    Next, there should be a UserAuthTicket/AuthTicketFailure at the least that happens on the DC as the Exchange/OWA server pings the DC to check the kerberos auth ticket. There's a small possibility that it'll be an actual logon, but I think an AuthTicket/Failure are more likely. You'll have to be auditing the ticket requests/failures on the DC (which tend to be redundant to actual logons) to see this. It's likely that it'll have a SourceMachine of your Exchange/OWA servers.

    UserAuthTicket.SourceMachine = <exchange/OWA server, possibly by IP>

    With the IIS data for successes you might look for the first hit to an actual URL that's not the /auth.owa URL - maybe a URL with an actual value attached? Or a URL that's not / or /auth.owa? I can't quite remember the flow of the URLs (and I know they changed what gets logged after 2003 where you could see subjects of emails in bare URLs).

    I might have some old OWA data I can dig in to help take a look - some things don't change. emoticons_wink.png

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.