Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > Using LEM to locate user account deleting emails from a specific exchange mailbox

Using LEM to locate user account deleting emails from a specific exchange mailbox

Table of contents
Created by Craig O’ Neill, last modified by MindTouch on Jun 23, 2016

Views: 829 Votes: 0 Revisions: 5

Overview

LEM can be used to forensically track suspicious activity. You can build filters or ndepth searches to locate a user account deleting emails from a specific exchange mailbox.

 

Note: Exchange 2010+ has greater auditing possibilities.

Environment

  • ALl LEM versions
  • Exchange 2003

Steps

Notes:

  • Is your exchange server setup to send eg."564" messages to LEM?
  • Are those events available to read on the Exchange server EventViewer  itself?
  • If 'no' then LEM does not have those messages in its database and you will not be able to track the Event.

 

This may not be possible and here is how to find out:

 

Using nDepth you will be able to narrow down your search and forensically isolate a particular user. You will need a Useful Event ID (ProviderSID in LEM)

EXAMPLE:
563  Object Open for Delete

564  Object Deleted

 

Start by checking for the above eventIDs on the Detection IP for the Exchange server.

 

Any Alert.DetectionIP = 10.10.10.10 |-AND-| Any Alert.ProviderSID = 564

(10.10.10.10  is an example ipAddress)

Other than that there is not much else you can do on Exchange 2003 - Mailbox auditing was not introduced until 2010.

 

You may see unexpected results associated with a particular user.

 

The process when building a specific filter is to narrow down the filter, recreate the issue and narrow further. Generally the narrowing process only has to be done twice unless there are many similar events.


The following documents provide guidelines on the filter and rule creation process below.

SolarWinds Technical Reference

 

Creating Rules in Your SolarWinds Log & Event Manager Console

How to Create Filters in Your SolarWinds LEM Console to Pinpoint Events of Interest

 

Last modified

Tags

Classifications

Public