As the dominant messaging platform, Exchange is host to an organization’s greatest secrets in motion: decisions, marketing plans, customer data… What doesn’t get emailed?

Yet, does your security operations center know when a privileged user downloads a high-level executive’s mailbox? Will you know if John is spending hours browsing the CEO’s mailbox? What if encryption keys are exported or security policies are changed in Exchange? If there’s a security breach or system outage can you trace back who changed Exchange and when?

The good news is that among the many logs Exchange generates, 2 are specifically audit logs, dedicated to security tracking.

• Administrator Audit Log

  Provides a detailed audit trail of all administrative operations in the Exchange environment.

• Mailbox Audit Log

  Tracks (primarily non-owner) access to specified mailboxes providing an audit trail of end-users and administrators who access someone else's mailbox.

But there are several issues that prevent SIEM and Big Data Security Analytics solutions from collecting Exchange audit logs:

1. Audit logs trapped inside Exchange

   Like many other applications, Exchange audit logs are stored in the application itself - in this case within Exchange mailbox databases along with normal mailbox data. They are not written to any file system location or to the Windows event log where SIEM solutions would be able to use normal log collection means.

2. Asynchronous log request management

   In order to get the full detail of administrator and mailbox audit logs, you must periodically request Exchange to produce a log file and then wait an unspecified period of time for Exchange to email it to you as an attachment. You can access these logs via the web based Exchange administration center or via an asynchronous API based in PowerShell. You must request logs regularly so that latency is reduced and attached log files don’t exceed maximum attachment sizes. And you need to keep track of which requests Exchange has fulfilled and which are still pending.

3. Cryptic messages hard-to-understand

   Both the admin and mailbox audit logs are produced in a cryptic XML format unsuitable for analysis by human eyes. Here is an example:
   
   
   <Event MailboxGuid="87fe4440-ed2a-463e-9834-a070a3f7b865" Owner="Tom Sawyer" LastAccessed="2014-03-03T13:33:49.7298345-05:00" Operation="SendOnBehalf" ItemId="RgAAAADFjf5W2w8LQa+FWUjYyCYYBwBAeQIjM6A5TohDkjHL7Cy3AAAAAAARAABAeQIjM6A5TohDkjHL7Cy3AABaEl61AAAN" ItemSubject="Canceled: Meeting" OperationResult="Succeeded" LogonType="Delegate" ClientInfoString="Client=OWA;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729);" ClientIPAddress="::1" InternalLogonType="Owner" MailboxOwnerUPN="tsawyer@lb.local" MailboxOwnerSid="S-1-5-21-318927112-4139637817-1356824584-1143" LogonUserDisplayName="Huck Finn" LogonUserSid="S-1-5-21-318927112-4139637817-1356824584-1144" OriginatingServer="DEV1 (15.00.0516.025)" />

The Solution: LOGbinder for Exchange - Connecting the Exchange admin and mailbox audit logs to your SIEM

LOGbinder for Exchange automatically manages the complicated process of requesting audit logs from Exchange every few minutes, watching for them to arrive by email, downloading the attachments and parsing the XML. LOGbinder for Exchange translates cryptic admin and mailbox audit data into easy-to-understand messages and sends them to your SIEM/BDSA – where they belong. LOGbinder for Exchange does not require an agent to be installed on your Exchange servers. We simply bridge the gap by bringing application security intelligence from Exchange to your security operations center.

Here is how the same event from The Challenge page looks like after being processed by LOGbinder for Exchange:

Learn more about LOGbinder for Exchange