CSMARS change audit on exchange mailboxes

Unanswered Question
Sep 17th, 2010
User Badges:

Hi Guys


Can Snare agent detect mailbox changes on exchange 2003 server( Tracks user and administrator activity with detailed information  including who, what, when, where, workstation and why for change events  plus original and current values for all changes)


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Sat, 09/18/2010 - 06:57
User Badges:
  • Cisco Employee,

The Snare agent simply interfaces with the existing Windows Eventlog subsystem and forwards Windows events to CS-MARS as syslog events.  If the changes you are wanting to track are reported in the Windows Eventlog, those events should be forwarded to CS-MARS.  You would then most likely need to create a rule on CS-MARS to detect the raw events and generate an incident.  Or you could extend the appropriate Windows device framework to allow CS-MARS to successfully parse and map those Windows events.


Scott

k.abillama Mon, 09/20/2010 - 00:34
User Badges:

Ok thx  for the useful info!

Do you have an idea if the audit trail can be a custom one configured on Snare, I never used it, just read a bit about it!

Scott Fringer Mon, 09/20/2010 - 04:58
User Badges:
  • Cisco Employee,

Snare does support tuning which events are selected and reported from the various .  You should be able to find a good explanation of this in the Snare for Windows user guide starting on page 13:


http://www.intersectalliance.com/resources/Documentation/Guide_to_Snare_for_Windows_and_Windows_Vista-2.9.pdf


Please keep in mind that the Snare agent is not developed or supported by Cisco and is only referenced as a method for sending Windows events to CS-MARS as syslog messages.


Scott

Actions

This Discussion