Rapid7's monitoring of OWA/ActiveSync activity understands that these act just like IIS components. Therefore, you can configure a directory watcher on the collector to monitor the IIS logs of the computer running the Exchange software, and look for web requests that match OWA/ActiveSync signatures.
If you have a load balancer, such as Netscaler, in front of your OWA/Exchange servers, you may experience that the source IP for all users is the load balancer instead of the true IP address.
To fix this, you must add an x-forwarded for a head and log with IIS. You can learn more about how to do this here.
In order to have the Collector ingest logs from Microsoft Outlook Web Access (OWA) and ActiveSync services, perform the following steps on the server side:
- Determine the destination folder for the logs that the Internet Information Services (IIS) process responsible for running OWA/ActiveSync generates.
- Ensure that the IIS logs the expected fields to the log files.
- Share the log folder with a read-only credential that is also to be entered in InsightIDR.
Perform the following steps:
- Gather the OWA/ActiveSync logs for InsightIDR to determine which server is responsible for handling OWA/ActiveSync client requests.
- Launch the IIS Manager from the Start menu.
- Click the Logging icon in the IIS Manager.
- The Logging module displays where the IIS logs are recorded as well as how to specify the exact fields to log. Make a note of the log folder because you will need to enter this folder in the InsightIDR event source.
- Click the Select Fields button to select the appropriate fields to log.
The fields selected for the log file should exactly match those displayed in the following screen
- Click the OK button to save your changes.
Configure the log folder to allow the Collector to reach the logs.
- In Windows Explorer, right-click on the IIS log folder and click Properties.
- In Properties under Advanced Sharing, tick Share this folder, then click the Permissions button.
- Click Add… and provide the credential that will have access to this directory. The user name and password for this credential will also be entered in InsightIDR when the OWA/ActiveSync event source is set up.
You can configure the OWA event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource.
Note: Mobile provider geoips do not show up on your ingress activity map due to the fact that the geolocation for these IPs is typically extremely inaccurate. Mobile logons via wireless networks will still show up on your ingress map.
Perform the following steps to configure OWA with InsightIDR.
- Select Microsoft ActiveSync & Outlook Web Access from the Event Source drop-down list.
- Optionally, enter a display name for this event source in the Display Name field.
- Click the Watch Directory button to define the Collection Method.
- Tick Watch Shared Remote Directory.
- Select the appropriate credential from the Credential drop-down list.
- Enter the user name in the Username field.
- Select the appropriate type from the Type drop-down list. In this example, password is selected.
- Enter the folder path in the Folder Path field.
- Click the Save button.
The different logging formats for IIS logs are detailed here. InsightIDR only support logs in the ELFF format. The logs must have the correct fields in the order specified below. Any additional fields can be in the logs, but must come after the 'sc-win32-status' field.
If there is an MDM, load balancer, or some other device between the external endpoint connecting to ActiveSync and the ActiveSync server, the "source IP" in the IIS logs for ActiveSync will be wrong, since it will point to the source IP of the intermediate device rather than the true source IP of the external endpoint and you won't get any ingress activity on your map.
All these appliances have their own unique way of providing the true source IP in a custom HTTP request field. To fix this, completing the following:
- Go to the Exchange server to configure it for advanced logging and configure the advanced logs to match exactly the basic logs
- Substitute the source IP (which will be the intermediate appliance, in this case) with the new field the appliance has added which represents the true source IP of the external endpoint.
Microsoft documentation on advanced logging is located here.
Notice how you add fields. Compare some of the actual logs coming out of the advanced logger to the logs coming out of the basic logger. You may have to make a few changes to the advanced logger the first time to make sure the fields are the ones you want and that they are in the proper order.
You can learn about enhanced logging here.
The field ordering is the following:
date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
Note: c-ip will be switched for the true IP source IP address which is a custom aforementioned field created by the log balancer.