Hello all,
I am attempting to configure LEM to audit and report OWA authentication request events. As at time of posting, I have installed the agent to the Domain Controller and Exchange server where OWA is hosted and enabled the IIS 7.0 connector to collect and send IIS log entries.
LEM is collecting logon events from the DC and WebTrafficAudit events from the IIS log.
What I am trying to distinguish is whether the events received are clearly identifiable to be appliable to OWA authentication requests. Once I am able to do this, I can generate a rule to action an infer alert and report on occurrences of infer alerts between a time period.
It would be desirable to distinguish between logon success and failure events, to help identify potential unauthorised access attempts.
Thanks in advance,
-Garreth