CUSTOMERS & COMMUNITY

Splunking for a rogue exchange admin

Recently I was speaking with a customer who was concerned that one of the Windows admins was reading the email of regular users. Thought I’d share this tidbit as a simple example of the power of search. In this case, we didn’t even have to go to other data sources other than the relevant event log, though later analysis of netflow logs triangulated from where the admin was connecting to the Exchange server from.

Problem: Senior admin has reason to think another admin is abusing privileges and reading other people’s mail on Exchange.
Use Case: Splunk the Exchange event logs to check for insider threat.
Search 1: bad_admin_username “EventCode=1016”

Finds: User who has opened up a mailbox that is owned by someone else.

Search 2: bad_admin_username “EventCode=1013”

Finds: User who has opened up an additional mailbox. Needed because if the mailbox is shared (ie alias for a particular department) you won’t get a 1016

Use Case 2: Check for network logins by the admin to the Exchange box in the security log. This search will show if they’ve been using the Exchange console to connect remotely and take unauthorized actions
Search: bad_admin_username “Login Type=Network” “Success Audit”

Finds: Shows if admin has been using the Exchange console to connect remotely and take unauthorized actions. Note that you will not know what the action is unless you have turned on more aggressive auditing than the default.

Posted by

Join the Discussion