exchange Collection by crowdsecurity

Installation

cscli collections install crowdsecurity/exchange

Source code

A collection for Microsoft Exchange:

Detect bruteforce on an OWA instance
Detect bruteforce on the SMTP service of Exchange

Note:

This collection will read the exchange transport logs, which are not written to disk in real time. In order to avoid false positive in low traffic environment, set the use_time_machine parameter to true.

Example acquisition for this collection:

1use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the 
2filenames:
3  - C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.LOG
4labels:
5  type: exchange-smtp
6---
7use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the 
8filenames:
9  - C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4\*.LOG
10labels:
11  type: exchange-imap
12---
13use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the 
14filenames:
15  - C:\Program Files\Microsoft\Exchange Server\V15\Logging\Pop3\*.LOG
16labels:
17  type: exchange-pop
18---
19#OWA failed attempts are logged in the same way as RDP failed auth 
20source: wineventlog
21event_channel: Security
22event_ids:
23 - 4625
24event_level: information
25labels:
26 type: eventlog

Content

Hub collection

« exchange »Collection
v0.3 by crowdsecurity

exchange-smtp-logs

exchange-imap-logs

exchange-pop-logs

windows

iis

exchange-bf

windows-bf

Hub collection

« exchange »Collectionv0.3 by crowdsecurity

exchange-smtp-logs

exchange-imap-logs

exchange-pop-logs

windows

iis

exchange-bf

windows-bf

« exchange »Collection
v0.3 by crowdsecurity