Hi All,
I'm trying to find out why our MS Exchange server logs were cleared, but couldn't find why. Our SIEM indicated that it's triggered by Microsoft-Windows-Eventlog: EventID 104. Upon checking, event ID 104 is a normal condition and no further action is required (
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775044(v=ws.10)?redirectedfrom=MSDN). I have tried to check if there's any suspicious logins on the admin accounts but we didn't find anything. Can you advise?
Log is below the eventID 104 is below.
{
"hostIdentifier": "00000000-cbe8-42a1-b497-f6a538fdfc75",
"BackupPath": "",
"Channel": "Microsoft-Exchange-ManagedAvailability/ThrottlingConfig",
"LogFileCleared": "",
"SubjectDomainName": "NT AUTHORITY",
"SubjectUserName": "SYSTEM",
"datetime": "2021-04-02T10:16:39.436600800Z",
"eventid": "104",
"keywords": "-1",
"level": "4",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"source": "System",
"task": "104",
"time": "1617358599"
}