Exchange Email Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Exchange Email Messages | Base Rule | General Email Handling Message | Information |
| Added Mailbox Permission | Sub Rule | Configuration Enabled : Application | Configuration |
| Enabled Address List Paging | Sub Rule | Configuration Enabled : Application | Configuration |
| Enabled Mailbox | Sub Rule | Configuration Enabled : Application | Configuration |
| Installed Admin Config | Sub Rule | Configuration Enabled : System | Configuration |
| Installed Data Config | Sub Rule | Configuration Enabled : System | Configuration |
| Installed Default Policy | Sub Rule | Configuration Deleted : Application | Configuration |
| Installed Resource Config | Sub Rule | Policy Enabled : Object | Policy |
| New Exchange Config | Sub Rule | Configuration Enabled : System | Configuration |
| Set Admin Config | Sub Rule | Configuration Loaded : Network Access | Configuration |
| Set Exchange Config | Sub Rule | Configuration Enabled : Application | Configuration |
| Set Mailbox | Sub Rule | Configuration Enabled : Application | Configuration |
| Set Owa Policy | Sub Rule | Configuration Enabled : Application | Configuration |
| Set Recipient Policy | Sub Rule | Policy Enabled : User/Password | Policy |
| Set Tenant Version | Sub Rule | Policy Enabled : Auditing | Policy |
| Set Transport Config | Sub Rule | Configuration Enabled : System | Configuration |
| Add Recipient Permission | Sub Rule | Privilege Granted | Access Granted |
| Add Role Group Member | Sub Rule | Privilege Granted | Access Granted |
| Mailbox Folder Accessed | Sub Rule | Object Accessed | Access Success |
| New Mailbox Search | Sub Rule | Configuration Modified : Directory Services | Configuration |
| New Mailbox Created | Sub Rule | Configuration Enabled : Directory Services | Configuration |
| New Mail Contact | Sub Rule | Configuration Modified : Directory Services | Configuration |
| Cancel Folder Move Request | Sub Rule | Configuration Disabled : Database | Configuration |
| Remove Unified Group | Sub Rule | Group Deleted | Account Deleted |
| Send on Behalf | Sub Rule | Email Message Sent | Information |
| Set Contact | Sub Rule | Configuration Modified : Directory Services | Configuration |
| Mailbox Search Modified | Sub Rule | Configuration Modified : Directory Services | Configuration |
| Unified Group Modified | Sub Rule | Group Attribute Modified | Account Modified |
| Unified Group Added | Sub Rule | Group Created | Account Created |
| User Added to Group | Sub Rule | Privilege Granted | Access Granted |
| Mailbox Login | Sub Rule | User Logon | Authentication Success |
| User Account Modified | Sub Rule | User Account Attribute Modified | Account Modified |
| Email Marked for Deletion | Sub Rule | Email Deleted | Information |
| Email Deleted | Sub Rule | Email Deleted | Information |
| User Granted SendAs Permissions | Sub Rule | Privilege Granted | Access Granted |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| TS | N/A | N/A | N/A |
| SESSID | <session> | Text/String | Session information |
| COMMAND | <command> | Text/String | Command name |
| USERTYPE | N/A | N/A | Type of user |
| USERKEY | N/A | N/A | User key informations hexadecimal value |
| WORKLOAD | <process> <vendorinfo> | Text/String | Audit log record type |
| RESULTCODE | <result> | Text/String | Results |
| OBJECT | <object> | Text/String | Object name |
| USER | <login> <domainorigin> <account> <domainimpacted> | Text/String | Source user name |
| SIP | N/A | N/A | Source IP address |
| OBJECTNAME | N/A | N/A | N/A |
| PARAMETERS | <sessiontype> <domainimpacted> <account> | Text/String | N/A |
| MODIFIEDPROPERTIES | N/A | N/A | N/A |
| EXTERNALACCESS | N/A | N/A | N/A |
| ORIGINATINGSERVER | <sender> | Text/String | N/A |
| ORGANIZATIONNAME | N/A | N/A | N/A |
| LOGONTYPE | <group> | Text/String | N/A |
| MAILBOXOWNER | <account> | Text/String | N/A |
| MAILBOXMASTER | N/A | N/A | N/A |
| LOGONUSERSID | N/A | N/A | N/A |
| LOGONUSERDISPLAYNAME | N/A | N/A | N/A |
| USERAGENT | <useragent> | Text/String | N/A |
| CLIENTIPADDRESS | <sipv4> <sipv6> <sip> <sport> | IP Address Number | N/A |
| CLIENTPROCESSNAME | N/A | N/A | N/A |
| CLIENTVERSION | <version> | Number | N/A |
| FOLDER | <subject> | Text/String | N/A |
| CROSSMAILBOXOPERATIONS | N/A | N/A | N/A |
| DESTMAILBOX | N/A | N/A | N/A |
| DESTMAILBOXOWNER | N/A | N/A | N/A |
| DESTMAILBOXMASTER | N/A | N/A | N/A |
| DESTFOLDER | N/A | N/A | N/A |
| FOLDERS | N/A | N/A | N/A |
| AFFECTEDITEMS | N/A | N/A | N/A |
| ITEM | <objectname> | Text/String | N/A |
| ITEM | <subject> | Text/String | N/A |
| SENDASUSER | <sender> | Text/String | N/A |
| SENDONBEHALFOFUSER | <sender> | Text/String | N/A |
| "Subject":" | N/A | N/A | N/A |
| "Subject":" | N/A | N/A | N/A |