2 Replies Latest reply on Sep 12, 2013 11:52 AM by nicole pauls

    Using LEM to log and report OWA authentication request events

    garrethcoleman

      Hello all,

       

      I am attempting to configure LEM to audit and report OWA authentication request events. As at time of posting, I have installed the agent to the Domain Controller and Exchange server where OWA is hosted and enabled the IIS 7.0 connector to collect and send IIS log entries.

       

      LEM is collecting logon events from the DC and WebTrafficAudit events from the IIS log.

       

      What I am trying to distinguish is whether the events received are clearly identifiable to be appliable to OWA authentication requests. Once I am able to do this, I can generate a rule to action an infer alert and report on occurrences of infer alerts between a time period.

       

      It would be desirable to distinguish between logon success and failure events, to help identify potential unauthorised access attempts.

       

       

      Thanks in advance,

       

      -Garreth

        • Re: Using LEM to log and report OWA authentication request events
          garrethcoleman

          Update: Since posting, I am able to perform an nDepth search to find failed authentication requests to OWA.

           

          Refine the query with the following conditions:

          WebTrafficAudit.AlertActivityType=HTTP-401 AND WebTrafficAudit.URL=<URL> (e.g. 192.168.0.1/owa/auth.owa)

          nDepth Conditions OWA fail Auth.png

          Specify a time period and run the search.

           

           

           

          I am yet to distinguish auth success events generated by users logging into OWA and not general navigation through OWA. Any help on refining my results to show only these events would be highly appreciated.

           

           

          -Garreth

            • Re: Using LEM to log and report OWA authentication request events
              nicole pauls

              It's been a while since I had to manage OWA so I'm pulling from a part of my memory that might be hazy, so here's the other way I'd approach it.

               

              There should be actual UserLogon/UserLogoff/UserLogonFailure events generated from authentication to Exchange. Now, there's a possibility that this stuff is hidden in the Exchange audit logs, which are buried in the Exchange database and not the Event Logs, but since we're talking domain credentials I think there might be a couple of other directions to dig in.

               

              First, look at the UserLogon, UserLogonFailure, and UserLogoff events that are generated ON the Exchange server. Look at the "LogonType" and see if you can tell OWA logins apart from other logins. I want to say there's a handoff between IIS and Exchange that makes them look like IIS logons by that user, but I can't quite remember what it looks like. You'll need to be auditing account logon (and possibly logon) success/failure on the Exchange server to see this.

               

              UserLogon.InsertionIP = <exchange/OWA server>

              (refine from there - UserLogon.LogonType, etc)

               

              Next, there should be a UserAuthTicket/AuthTicketFailure at the least that happens on the DC as the Exchange/OWA server pings the DC to check the kerberos auth ticket. There's a small possibility that it'll be an actual logon, but I think an AuthTicket/Failure are more likely. You'll have to be auditing the ticket requests/failures on the DC (which tend to be redundant to actual logons) to see this. It's likely that it'll have a SourceMachine of your Exchange/OWA servers.

               

              UserAuthTicket.SourceMachine = <exchange/OWA server, possibly by IP>

               

              With the IIS data for successes you might look for the first hit to an actual URL that's not the /auth.owa URL - maybe a URL with an actual value attached? Or a URL that's not / or /auth.owa? I can't quite remember the flow of the URLs (and I know they changed what gets logged after 2003 where you could see subjects of emails in bare URLs).

               

              I might have some old OWA data I can dig in to help take a look - some things don't change.

              1 of 1 people found this helpful