Preparing Microsoft Outlook Web Access/ActiveSync for the InsightIDR Collector

In order to have the InsightIDR Collector ingest logs from Microsoft Outlook Web Access (OWA) and ActiveSync services, perform the following steps on the server side:

  1. Determine the destination folder for the logs that the Internet Information Services (IIS) process responsible for running OWA/ActiveSync generates.
  2. Ensure that the IIS logs the expected fields to the log files.
  3. Share the log folder with a read-only credential that is also to be entered in InsightIDR.

Configuring Internet Information Services

  1. Gather the OWA/ActiveSync logs for InsightIDR to determine which server is responsible for handling OWA/ActiveSync client requests. 
  2. Launch the IIS Manager from the Start menu.

  1. Click the Logging icon in the IIS Manager .

  1. The Logging module displays where the IIS logs are recorded as well as how to specify the exact fields to log.  Make a note of the log folder because you will need to enter this folder in the InsightIDR event source.
  1. Click the Select Fields button to select the appropriate fields to log.

The fields selected for the log file should exactly match those displayed in the following screen capture:

  1. Click the OK button to save your changes.

Windows file system configuration

Configure the log folder to allow the Collector to reach the logs. 

  1. In Windows Explorer, right-click on the IIS log folder and click Properties.

  1. In Properties under Advanced Sharing, tick Share this folder, then click the Permissions button.

  1. Click Add… and provide the credential that will have access to this directory. The user name and password for this credential will also be entered in InsightIDR when the OWA/ActiveSync event source is set up.

Configuring OWA with InsightIDR

You can configure the OWA event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource.

Mobile provider geoips do not show up on your ingress activity map due to the fact that the geolocation for these IPs is typically extremely inaccurate. Mobile logons via wireless networks will still show up on your ingress map.

Perform the following steps to configure OWA with InsightIDR.

  1. Select Microsoft ActiveSync & Outlook Web Access from the Event Source drop-down list.
  2. Optionally, enter a display name for this event source in the Display Name field.
  3. Click the Watch Directory button to define the Collection Method.
  4. Tick Watch Shared Remote Directory.
  5. Select the appropriate credential from the Credential drop-down list.
  6. Enter the user name in the Username field.
  7. Select the appropriate type from the Type drop-down list. In this example, password is selected.
  8. Enter the folder path in the Folder Path field.
  9. Click the Save button.