We received alarms for this in our SIEM today. I believe it is expected and just "noise". The alarm was triggered immediately after Exchange cleared the ThrottlingConfig.log.
I know Exchange Server 2013 CU5, CU5 includes a Managed Availability probe configuration that is frequently restarting the Microsoft Exchange Shared Cache Service in some environments. The service is being added to provide future performance improvements and is not used in Cumulative Update 5. More information is available in KB2971467
So it looks like this event triggered alarm is a false-positive. Anyone else experience this?
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4649</EventID>
<Version>0</Version>
<Level>Information</Level>
<Task>Other Logon/Logoff Events</Task>
<Opcode>Info</Opcode>
<Keywords>Audit Failure</Keywords>
<TimeCreated SystemTime='2018-09-20T20:14:12.793310400Z'/>
<EventRecordID>79125070</EventRecordID>
<Correlation/>
<Execution ProcessID='700' ThreadID='5972'/>
<Channel>Security</Channel>
<Computer>DOMAIN</Computer>
<Security/>
</System>
<EventData>A replay attack was detected.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SERVERNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Credentials Which Were Replayed:
Account Name: HealthMailboxXXXXX
Account Domain: DOMAIN
Process Information:
Process ID: 0x673b81d620
Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: -
Detailed Authentication Information:
Request Type: KRB_AP_REQ
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.</EventData>
</Event>
