Automatically generated based on tag:

Microsoft Exchange Page Microsoft Exchange is a complex mail server ecosystem, running exclusively on the Windows operating system. Microsoft Exchange logs telemetry and events in various text-based log files (100+) and EVTX event logs (40+).

The following sources of logs can be of forensics interest to investigate the compromise of a Microsoft Exchange server or account:
- Exchange IIS logs, that contain information on the HTTP requests made to the various Exchange HTTP web services.
- EVTX event logs, of Exchange ETW channels (such as the "MSExchange Management" channel), and of other providers depending on the Exchange server Windows logging configuration.
- 20+ text-based log files, each associated with a given Exchange service.
Exchange IIS logs:
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1 and W3SVC2 folders.

ETW channels:
MSExchange Management, for usage of cmdlets from the ExchangePowerShell module (that interact with the Exchange Web Services API).
Microsoft-Windows-Windows Defender/Operational, events 1006 / 1116 and 1007 / 1117, for detections of suspicious behavior related to Exchange.
Security event 4688, if "Audit Process Creation" is enabled, to identity suspicious process spawned by the Exchange IIS process.

Exchange components (EWS, ECP, OWA, ExchangePowerShell, ActiveSync, MAPI, etc.) text-based logs:
%SystemDrive%\Program Files\Microsoft\Exchange Server\V15\Logging and TransportRoles folders.

View on GitHub