2

I have a mailbox user (Exchange 2016) who belief that his mailbox was hacked.
So I want to audit the access to his mailbox.
I enabled audit via Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true

But it seems that via ECP I just can check which other Users or Administrators tried to access that mailbox.

If the mailbox was hacked it should show access from user itself, but there is no option for this purpose.

How can I audit this mailbox to get access statistics like last login, IP, maybe device and so on?

fips123
  • 361
  • 1
  • 5
  • 17

1 Answers1

2

You could check client logon for each protocol succeeded or failed via IIS log and event log. Firstly find results of client logon successfully or failed on the event log ,then you could check the detailed information for user accounts and protocols through IIS log.

  1.Event log   Event log in Exchange would record client logon status. You could go to Windows Logs -> Security section, the logs record client logon status.   (a).If a user account logon client successfully, an event id 4624 would be generated. (b).If a user account logon client fails, an event id 4625 would be generated.   enter image description here   2.IIS log    Then, we could see the specific user access time, user name ,logon type and logon status through IIS logs. IIS logs location is below:    C:\inetpub\logs\LogFiles\W3SVC1   To view IIS logs on Exchange more clearly, I recommend you to use Excel to import the logs and then analyze them with different columns. Here are the specific steps:

(a).Remove headers starting with a # character in IIS logs.it's convenient to form columns when you open with Excel. enter image description here  

(b).Open an empty Excel spreadsheet and click File> Open, select  IIS log. After opening, select the Delimited filter type. Next, select  Space  and click on Finish. There are some codes listed in IIS log:  

• Date (date) • Time (time, timezone (GMT) ) • Client IP Address (c-ip) • User Name (cs-username) • Method (cs-method) • URI Stem (cs-uri-stem) • URI Query (cs-uri-query) • Protocol Status (sc-status) • Win32 Status (sc-win32-status) • Bytes Sent (sc-bytes) • Time Taken (time-taken) • Host (cs-host) • User Agent (cs(User-Agent)) • Referer (cs(Referer))  

In the  code "cs-status", 200 OK success status response code indicates that the request has succeeded(logon successfully). 401 unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource(logon failed).

  enter image description here   More references, please see :https://blogs.msdn.microsoft.com/friis/2014/01/09/how-to-use-excel-to-analyse-iis-logs/  

3-1.For Outlook Web Access, we could check event log mainly, it Accurately records logon time, account name andlogon status. The IIS log also recorded logon status, logon time and logon type.

 enter image description here  

3-2.For Outlook Anywhere, in Exchange Server 2016, MAPI over HTTP is enabled by default at the organization level. But, Outlook clients that are not MAPI over HTTP capable can still use Outlook Anywhere (RPC over HTTP) to access Exchange through a MAPI-enabled Client Access server. We could check event log mainly, it recorded logon status, account name and logon time. The IIS log also accurately records logon time, logon type and login status.

 enter image description here  

3-3.For Exchange Activesync, We could check event log mainly, it recorded logon status, account name and logon time. The IIS log also accurately records logon time, logon type and login status. enter image description here enter image description here

Kelvin_D
  • 301
  • 1
  • 3
  • Thanks for your great reply! I solved it via Logfiles located at C:\inetpub\logs\LogFiles\W3SVC1. I wrote a PHP script which prepares that data and queries the IPs with the Maxmind GeoIP Database. – fips123 Jan 08 '19 at 14:50