Stealthbits ProTip: Identifying Non-Owner Exchange Activity

Need visibility into the mailbox activity by anyone other than the owner of a specific mailbox? In this ProTip, you will learn how to view Exchange Activity within StealthINTERCEPT and how to scope the policy to view only Non-Owner activity.

Once you are licensed for Exchange Activity, you will need to ensure that you have agents deployed to all Exchange Role Hosts (HUB, CAS, & MBX). This is done by selecting the hosts to which you need to deploy the agent and selecting the Exchange Server Monitoring option:

Next, you will need a new policy created either from an existing template or from scratch. Exchange policy templates are located in the Templates Node, under Templates > Microsoft > Exchange. There are a lot of options out-of-the-box, but for this example, we will create one from scratch with the Exchange Changes event type. Create a new policy in your desired policy folder (I made a new one called Exchange Activity). Select the Event Type tab and set the event type to Exchange Changes:

Once the event type is selected, available options will be displayed. These are different for 3.4 and the new upcoming 4.0 version of StealthINTERCEPT. Version 3.4 merely provided visibility into all login types, while the newer version 4.0 will now also show the specific activity:

Version 3.4

Version 4.0 (Added Operation Type filtering)

Finally, we must specify that we want to see Non-Owner activity by designating only Delegates and Administrators in the Exchange Perpetrators tab:

Your policy will now show all activity by anyone other than the owner of the mailbox. Once upgraded to the upcoming version 4.0 you will also be able to filter by the operations themselves, thus being able to make separate policies permitting notifications for specific unwanted activities as well.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*