CSMARS change audit on exchange mailboxes

k.abillama · ‎09-17-2010

Hi Guys

Can Snare agent detect mailbox changes on exchange 2003 server( Tracks user and administrator activity with detailed information including who, what, when, where, workstation and why for change events plus original and current values for all changes)

Regards

Scott Fringer · ‎09-18-2010

The Snare agent simply interfaces with the existing Windows Eventlog subsystem and forwards Windows events to CS-MARS as syslog events. If the changes you are wanting to track are reported in the Windows Eventlog, those events should be forwarded to CS-MARS. You would then most likely need to create a rule on CS-MARS to detect the raw events and generate an incident. Or you could extend the appropriate Windows device framework to allow CS-MARS to successfully parse and map those Windows events.

Scott

k.abillama · ‎09-20-2010

Ok thx for the useful info!

Do you have an idea if the audit trail can be a custom one configured on Snare, I never used it, just read a bit about it!

Scott Fringer · ‎09-20-2010

Snare does support tuning which events are selected and reported from the various . You should be able to find a good explanation of this in the Snare for Windows user guide starting on page 13:

http://www.intersectalliance.com/resources/Documentation/Guide_to_Snare_for_Windows_and_Windows_Vista-2.9.pdf

Please keep in mind that the Snare agent is not developed or supported by Cisco and is only referenced as a method for sending Windows events to CS-MARS as syslog messages.

Scott