Correlating events becomes easier as Microsoft adds ‘SessionID’ to the audit logs in EXO

Yesterday, Microsoft announced a new capability in Exchange Online which adds the ‘SessionID’-field to the existing audit logs in Exchange Online. Audit logs are a useful feature to go through and look at what actions have been performed on a mailbox at any given time. The events that are exposed through the Audit Logs are a great source way to correlate events and detect suspicious behavior – whether its for a legitimate user or through a potentially compromised account.

Many (security) solutions, including Microsoft’s own, use the information from the Audit Logs to correlate events and determine whether or not specific activity should be flagged as suspicious for further investigation. When such investigations happen, it’s sometimes hard to distinguish which actions of an account are safe and which ones aren’t. Consider the following example. I re-used the data from the announcement, to illustrate the point. The following data shows a series of (chronological) events, without the Session ID:

TimeStamp Action
3:42 MailboxLogin
4:35 MailboxLogin
4:45 MoveToDeleted
4:59 AddInboxRules
5:12 AddFolderPermissions
5:30 Set-Mailbox

Without more information, these actions look like something a real user would do too: authenticating to the mailbox (twice), and performing some actions like removing data and adding an Inbox rule. Unless there is a high amount of (infrequent) actions that immediately stand out from the ordinary, it is really hard for an administrator to determine whether the above data warrants further investigation or not.

Now, let’s look look at the same data with the SessionID:

TimeStamp Action Session ID
3:42 MailboxLogin bdcea574-5cfd-48b1-ab5b-d826f164da53
4:35 MailboxLogin 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
4:45 MoveToDeleted bdcea574-5cfd-48b1-ab5b-d826f164da53
4:59 AddInboxRules 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
5:12 AddFolderPermissions 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
5:30 Set-Mailbox 12bce6d0-bfeb-4a82-abe6-98ccf3196a11

Again, the same events are visible, but we can now see that various actions have been performed in different sessions. This doesn’t necessarily point to malicious behavior. However, when different sessions are active at the same time, my attentions would be triggered more easily. Of course, the administrator will still have to verify with the user to identify the nature of the actions. But, by doing so, the admin might learn that the user did not create Inbox rules, nor did the user add any mailbox permissions.

At this point, having the SessionID has another benefit: it allows you to query the Audit Logs with the Session ID and list all actions that were performed within the same session, like shown in the table below:

00 AddInboxRules 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
1:34 AddFolderPermissions 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
1:42 AddFolderPermissions 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
4:59 AddInboxRules 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
12:34 AddFolderPermissions 12bce6d0-bfeb-4a82-abe6-98ccf3196a11
15:23 AddFolderPermissions 12bce6d0-bfeb-4a82-abe6-98ccf3196a11

Disabling/Blocking Basic Auth

This all seems good news, but what’s the caveat you might ask? As per announcement, sessions which were authenticated through Basic Auth will not have the SessionID information available because the information in only logged when modern authentication is used. Personally, I think this is great, as it is yet another reason to get rid of Basic (legacy) authentication. On the other hand, and the sad reality, is that many organizations are still using some form of legacy authentication today, not in the least through protocols like POP3 and IMAP.

Ideally, the SessionID (or similar) information would have been available for legacy auth as well. Especially because these non-modern authentication protocols do not support MFA and, hence, accounts using legacy auth are more susceptible to attacks/compromise.

Conditional Access to the rescue?

There are various ways to disable Basic Authentication in Microsoft’s online services. One way is to use Conditional Access, where you can define a set of policies that apply to different user (groups) in your organization. As such, you can be very granular as to whom you allow to use legacy auth and to what service.

Specifically for Exchange Online, you can use the recently-released Authentication Policies, where you can basically do the same, albeit just for Exchange Online.

Is auditing enabled?

To access the audit logs for a mailbox, auditing must be enabled first. Although Microsoft recently announced it would enabled mailbox audit logging for all users by default, older tenants might still have mailboxes that aren’t audited. To check whether auditing is enabling, connect to Exchange Online with PowerShell and run the following command(s). To get a list of all users and whether or not auditing is enabled, run the following command:

Get-Mailbox -ResultSize Unlimited | Select Name,AuditEnabled. 

To (re-)enable auditing, you would run the following command. More information on the process is available here.

Set-Mailbox <mailbox> -AuditEnabled $True"

Lastly, to verify if your tenant is configured to enable Mailbox Audit logging by default, run the following command:

Get-OrganizationConfig | Select AuditDisabled

Reading the audit logs

Before you get all hyped up about this feature, you must understand there are a few limitations too. First of all: to use the audit logs on a daily basis as means to improve your security monitoring and detection capabilities, you will need a mechanism (often in the form of an external tool or feature) that captures the audit events and performs an initial triage on them. This can be an external SIEM solution or – if you have the necessary licenses – Microsoft’s Cloud App Security.

Even though the audit logs can be access through PowerShell, doing so is merely effective for ad-hoc investigations in my opinion –not in the least because querying the audit logs for a large number of mailboxes can be slow. Additionally, audit logs are only kept for a (limited) amount of time. If you have E3 licenses, they are kept for 90 days. Audit logs for E5 licenses are kept for 365 days. Either way, you’ll have to take this into consideration if you have a requirement to be able to go back further in time than your current built-in retention period.

Increasing your tenant’s security

All in all, this is a small but important step towards increasing your organization’s security posture and making it increasingly more easy to detect (and thus react to) attacks. Security is an important topic and one of our core focus areas at The Collective. Feel free to reach out to us to understand how we can help you become more secure in Office 365.

Blog Identity & Security Office 365

ITPROceed as alternative to the missing TechDays in Belgium this year?

Typically, this time of the year Microsoft would organize its TechDays: a multi-day technical conference with tracks for both IT Pro’s and developers. This year, however, there’s no TechDays. This leaves a gap in the Belgian “conference market”. To my knowledge, TechDays was attended by several hundred if not thousand attendees every year. Speakers from all over the place would come over and present on the latest and the greatest of Microsoft. But in general there would be a lot of local speakers involved too.

Recently the developers community announced their “Tech-o-rama” conference which would both serve as a replacement for the Community Days and somewhat fill the gap for TechDays. This is exactly what the IT PRO Community had in mind when launching the ITPROceed initiative.

ITPROCeed is a community-driven one-day conference, to be held in Antwerp on June 12th. Although not officially organized by Microsoft, the conference has certainly the potential to reach a wide audience as TechDays did. Here’s why:

Content

As mentioned earlier, there won’t be (many) other opportunities to learn from the experts first hand in Belgium, this year. As such, it seems like the perfect opportunity to catch up: for free.

The conference itself is divided into 4 tracks: SQL, System Center, Azure and Office Servers & Services. More than enough to create a balanced schedule with, don’t you think? It’s not only a good way to learn about new technology and features, it’s also great to interact with all of the experts who will be present that day.

Speakers

The speaker-lineup is phenomenal, in my opinion. A lot of Belgian MVPs will speaking at this event and many of them have spoken at various international conferences before. To give you just a few of these names: Mike Resseler, Alexandre Verkinderen, Johan Delimon, Dieter Vanhoye, Thomas Vochten, Ruben Nauwelaers, Pieter Vanhove, Nico Sienaert, Tim De Keukelaere, Donald Hessing and many, many more. Every single one of them are experts in their field.

So, if you haven’t subscribed yet, I strongly suggest you do so soon. It doesn’t happen every day that you get the ability to witness all this for free (in case you didn’t get it the first time). I for one, know what I will be doing that day…! http://www.itproceed.be/

See you there!

Michael

Blog Events News

Microsoft to acquire Nokia’s devices & services business

A few hours ago, the news hit the world that Microsoft is about to acquire Nokia’s devices & services business and it’s going to license Nokia’s patents and mapping services.

Honestly, I can’t say that I’m surprised. Microsoft and Nokia have been working closely together in making, branding and marketing Nokia’s Lumia Windows Phone devices. In line of Microsoft’s “big transformation” into a devices & services company, this only seems the next logical step.

Through the acquisition (which includes brining over about 30.000 people from Nokia), Microsoft suddenly gains a vast amount of experience in making hardware.It’s first attempts at creating a tablets, the Surface RT and Surface Pro,  seemed – given the 900 million dollar write-off on a pile of devices they couldn’t sell – nothing more than a creditable attempt. Through this acquisition, however, Nokia [Microsoft] might be able to bring some change into the game. After all, recent news confirmed the existence of a Nokia tablet based on Windows RT which should hit the shelves any time soon. And by the looks of it, the device looks many times more slick than the Surface RT or Pro.

Time will tell if this was a good thing or not…

News

Microsoft is retiring the MCSM/MCA Program…

After having written about my experience of going through the MCSM program, I couldn’t resist writing down about how I feel about Microsoft’s latest decision to kill the MCSM/MCA program.

For those who aren’t fully up to date about what happened, let me enlighten you first. Early Saturday morning, (Friday evening if you’re in the US), Microsoft sent out the following statement to all existing (and aspiring) Certified Masters and Architects:

“We are contacting you to let you know we are making a change to the Microsoft Certified Master, Microsoft Certified Solutions Master, and Microsoft Certified Architect certifications. As technology changes so do Microsoft certifications and as such, we are continuing to evolve the Microsoft certification program. Microsoft will no longer offer Masters and Architect level training rotations and will be retiring the Masters level certification exams as of October 1, 2013. The IT industry is changing rapidly and we will continue to evaluate the certification and training needs of the industry to determine if there’s a different certification needed for the pinnacle of our program.”

Have a look at Neil Johnson, who also teaches during the MCSM rotation, his blog for the full email.

As you can see, for someone who recently went through the program, that’s not the kind of email I’d hoped to read any time soon. Effectively, the reactions from the community are mainly drenched in disbelief and anger; which also perfectly reflects how I feel about the decision.

Many people have already expressed their displeasure. Although twitter has the top of the talks, some others – like Paul Robichaux and Marcel van den Berg – have also blogged about their thoughts:

At this moment, all that we have is the email. Nothing more. The fact that Microsoft sent out the email right before a long weekend (Monday is apparently Labor Day in the US) doesn’t really help. Besides: who does that anyway? Sending out an email like that and then absenting from any discussion whatsoever? Maybe they hoped that the storm would settle down by Tuesday? There are many reasons why Microsoft might have chosen to kill the program. Most likely it’s cost-related. There’s no doubt that running the MCSM/MCA program costs a lot of money; maybe too much for what they get in return from a direct revenue point-of-view? If so, raising the price for the certification was no option either; it was already expensive as it was. Though I stand with my statement earlier where I said it’s more than worth it. Nonetheless, MCSM/MCA perhaps never became as big as Microsoft hoped for? Anyway. It doesn’t matter, does it?

Microsoft has lately been making a lot of rather strange decisions. A lot of IT Pros (including myself) are wondering what they (Microsoft) are trying to achieve. First, they decided to kill TechNet subscriptions, now the MCSM/MCA program. The question is what will be next…? They are, for sure, making it very difficult to keep on advocating for them…

I cherish no hope that Microsoft will reverse their decision, but I would like to have a more decent explanation as to why they made this decision and what they are up to next. This is the very least they can do for all those who have invested a lot of money and time to go through the program…

Until later,

– a very disappointed – Michael

Exchange 2013 News

Session Slides and pictures of our event on Load Balancing Exchange & Lync 2013 now online!

Earlier this week we had the pleasure to welcome you for our in-person event “Load Balancing and Reverse Proxying for Exchange 2013 and Lync 2013” at Microsoft Belgium. Despite the fact that some people cancelled at the very last minute, the turnout was really great!

Both session from Johan Delimon and myself could count on a lot of questions from you guys, which kept things interactive at all times. Thank you for that!

For those who couldn’t attend, below some picture to help you muse about what you’ve been missing out on:

DSC_0293DSC_0304DSC_0307
DSC_0310DSC_0313DSC_0322DSC_0315

As promised, we’ve also made the slides available for download here. (Note: you will be redirected to the Pro-Exchange website!)

If you have questions about the sessions, please feel free to contact us and we’ll get back to you as soon as possible! Also, don’t forget Ruben and Wim will be presenting on this years Community Day > “Exchange and Lync 2013: Better together”.

We’re looking forward to meeting you there!

Cheers,

Michael

Blog Events

Attending the Microsoft Exchange Conference

As you might’ve guessed by now, I’m one of the lucky guys who gets to attend the Microsoft Exchange Conference in Orlando, FL.

Over the past few days, I have seen lots of people post their agendas online, which made me think that I perhaps should also start building one. Although, that was the plan. I didn’t take long before I figured out that building an agenda wasn’t really going to work out for me… I mean, have you seen the session list? It’s huge! And there’s really lots and lots of great content. So instead of trying to fit everything in, I’ll just take the sessions as they come. I’ll definitely let you know how that worked out… Smile

Anyway, I arrived yesterday and was lucky enough to bump into a whole bunch of Exchange-people heading to MEC. Throughout the conversations I had, it was getting pretty clear that getting value from MEC isn’t really about the sessions or content, it’s mostly about the community and the contacts itself.

Not only I have been able to talk to some of the veterans like Tony Redmond, Jeff Guillet but also got to meet lots of new people. It doesn’t need any explanation that I’ve already had lots of interesting conversations about Exchange and other stuff.

It’s a pity to realize that some people, who definitely should’ve been here, weren’t able to make it or even worse, couldn’t get their employers convinced to send them. My thoughts especially go out to some fellow UCArchitects like Steve, Michel, Mahmoud and Johan! I hope that MEC will stay for the next few years and that employers who refused to send some of those guys start realizing the real value in the conference: socializing.

As a matter of fact, you should read the following blog by Tony Redmond; some rather interesting thoughts about the conference…

Anyway, I’m pretty sure that those who weren’t able to make it will at least be able to virtually attend the conference. If you’re not already following me (and other members of the community), start doing so today! I’m pretty sure you’ll get loads of info through blogs/twitter/…

Cheers,

Michael

Blog Events

Update: Disappearing (online) archives after moving your mailbox to Office 365

Update

After a few weeks of mailing back and forth with Microsoft’s support, I was today (finally) able to confirm that the issue which I described below is now solved.

It seems that Microsoft rolled out a hotfix/code change for their Exchange Online service. Although, at first, I thought the issue was related to a bug in EMC for not correctly issuing all parameters when initiating a remote mailbox move, it seems the issue had more to it than that. Basically, what happened is that when MRS moved the mailbox from on-premises environment to Office 365, it wouldn’t keep the link to the already-existing archive. This caused a new (empty) archive to be created and could possibly cause data loss.

I’m happy to see what time and effort Microsoft has put into solving this issue. It proves that Microsoft is concerned about the quality of their product / service. In fact, it would surprise me if they weren’t. A bug that could cause data-loss is not really something you’d want to carry around for a long time!

Thanks to everyone involved and kudo’s to Philippe Phan Cao Bach (Sr. Escalation Engineer) who was working with me on this case.

Original Post

Office 365 offers great ways to enhance the functionalities of your on-premises deployment. By running the Hybrid Configuration Wizard (which Steve Goodman explains in this article) you can configure both environments to act as one; allowing you to make use of features such as e.g. Online Archives (EOA).

With Exchange Online Archives, your primary mailbox stays in your on-premises Exchange server, whereas the archive will – as the name might have given away – be hosted in Office 365. If you’re interested in finding out more about Online Archives, I suggest that you take a look at Bharat Suneja’s session at TechEd this year: “Archiving in the cloud with Exchange Online Archiving

The problem

To me, one of the most interesting things about a hybrid deployment is the flexibility it offers. You can put a few mailboxes in Office 365, try them out and move more to the service if you like it.

If you are looking to take that approach, this information might be interesting for you!

Imagine the following: you are trying out Office 365 and decide to use Online Archives to start with. You provision the archives and life is great! After a while you decide you want to use more and you decide to move some mailboxes to Office 365. However, after your users have been moved to Office 365 they start complaining that their archive is empty.

It seems that – although this scenario is supported – there are some issues with the provisioning process when you move a user to Office 365 that previously already had an Online Archive: it get’s “wiped”. At least, that’s how it looks like.

At first, I though the data would reappear after a while, so I made sure that I waited long enough. Unfortunately even after a few days, the archives was still empty.

I decided to do some tests, to make sure this wasn’t a standalone case. Perhaps something went wrong during the move. To my surprise, tests confirmed what was going on: although the archive contained items prior to the move, they are now empty.

To explain what happens, let me describe the process I used to reproduce this issue.

This first screenshot show the details of the on-premises mailbox that has a cloud-based archive (EOA) enabled. This archive contains 4 (test) items:

image

Afterwards, I moved the mailbox through the Exchange Management Console using the “New Remote Move Request”-wizard.

Because on-premises only a mailbox exists, you don’t have the option to move an archive (which is normal):
image

The move completed successfully, and after having waited long enough (DirSync etc.). I verified the mailbox’s settings:

image

The interesting part here is that the Archive, although having the same GUID, appears to have been moved to the same database as the mailbox. Before the archive resided in database “EURPRD04DG032-db055” whereas now it’s in “EURPRD04DG030-db041”.

To ascertain myself that this wasn’t causing problems, I decided to do another test. When executing the MoveRequest, I specified to what database the archive should be moved to. I made sure that the target database of the Online Archive was set to the database it was already residing in before moving the mailbox:

New-MoveRequest “Testmivh5” –RemoteHostName “hostname.company.com” –targetdeliverydomain “tenant.mail.onmicrosoft.com” –ArchiveTargetDatabase “EURPRD04DC032-db055” –RemoteCredential (Get-Credential)

Note   this cmdlet was executed from PowerShell connected to Exchange Online.

After the move completed (successfully btw), I – again – waited long enough for DirSync/replication/provisioning to occur. I deliberately didn’t force DirSync to ensure that wasn’t causing any issues either. But alas, none of that helped: the archive was again empty.

A quick look at the object’s attributes revealed that – although a target database parameter was provided – the archive still got moved to the same database as the user:

image

Then, I was thinking that the ‘old’ archive perhaps got disabled and that a new one was created. Although this would be strange since the GUID of the archive remains the same, I thought it was worth a try. Again: no joy! No disconnected mailboxes were to be found.

After all this testing, I had reasons enough to call Microsoft Support. After a few calls back and forth, they recently came back to me confirming that this is a known issue and that they’re currently working on it.

Until today I’m still not sure what the cause of the problem is. I haven’t received any feedback yet either. Of course, I will keep you posted as soon as I find out more!

Temporary workaround

It might sound too obvious, but the workaround is simple: either create both archive and mailbox in the cloud or create the (both!) on-premises first and move them together to the cloud. Both cases work just fine!

Conclusion

Although the last thing you’d want to experience is data-loss, I’m well aware that only a few customers, world-wide, would try this scenario. Nevertheless, it’s an issue that should be addressed quickly.

In our case, we have lost only a single archive worth a few hundred megabytes of emails. I can imagine that losing the wrong kind of emails might be a real big issues for some companies. I haven’t asked, but I’m pretty confident that – even though the emails seem lost – Microsoft can somehow recover the data so that you don’t really “lose” anything. I honestly cannot imagine otherwise.

Does this mean that I discourage using features like EOA? Absolutely not. I still have my hosted archive and I am pretty happy with it. Apart from some inconveniences which I will write about another time, it provides me with everything I need. Furthermore, it allows us to give everyone a relatively large archive without having to bear the costs of additional storage.

Until later!

Blog Exchange Hybrid Exchange Office 365