RSA Admin

MS Exchange Auditing

Discussion created by RSA Admin Employee on May 9, 2011
Latest reply on May 16, 2011 by RSA Admin

Hi,  we have a unique requirement driven by compliance to alert HR when specififc attributes/permissions are changed on a users mailbox.  In particular, if someone is added as read/full control or alt recipients are added to a mailbox, HR are to be alerted to this and they will confirm if those specific changes have been authorised.   These specific changes are actually logged against the Windows DC that the changes were made on, but when enVision grabs the security logs, all the relevant text is replaced with windows SID vaules, which is useless. 


We are in the process of de-commissioning our old Symantec SIEM (which logs this information corrctly) and this is the last alert/report I need to migrate, but this requirement is what the old SIEM was actually purchased for, so Compliance / HR will not be happy if I cannot achieve this.  I have tried SNARE, kiwi, splunk, etc "log forwarders" but all have the same result.


I have turned on exchange auditing but what I am after does not seem to be in those logs either.  Does or as anyone been able to get this type of requirement working ??


RSA have also advised me that enhancement request with a reference #: ENV-36355. has been raised but I cant seem to get an answer/update from our RSA account manager. 


Any help greatly appreciated