LOGbinder Blog

Updates, Tips and News   RSS Feed  

All LOGbinder products updated

Tue, 10 Dec 2019 17:18:50 GMT

Almost 12 years ago, my first LOGbinder product (LOGbinder for SharePoint) was created.  Since then we've developed software to help you audit SQL Server and Exchange admin and mailbox audit logs.  With the advent of our latest product, Supercharger for Windows Event Collection, we are now one of the biggest resources for the deployment, implementation and troubleshooting of Windows Event Collection (WEC).  Recently we released updates to all four of our products.  What's new?  At the bottom of this email are just a few of many new features and enhancements to our product line.  

I realize that a bulleted list of "features" may not seem that impressive, so I invite you to download any or all of our products and test them for yourself to see how they can help you audit the security actions in your environment.  For example, do you want to set a custom audit policy for every single one of your SharePoint sites including new sites that get create and then also get alerted if a malicious actor changes that audit policy?  Then try LOGbinder for SharePoint.  Do you want to audit SQL Server audits without touching the SQL Server or DB's once the audit is created?  Your SQL admins would love for you to try out LOGbinder for SQL Server.  Do you want to collect any log in event viewer from every workstation and server in your domain?  If your SIEM's cost is based on EPS or data storage, then Supercharger may pay for itself by allowing you to leave the noise at the source.

You can click the product to see all the latest changes:

  • Supercharger for WEC 19.10
    • Reports added
      • Comprehensive forwarder analysis - see every possible detail about every forwarder in your domain.  Excellent resource for troubleshooting problem forwarders
      • Collector performance history - see trends and patterns about collectors EPS and CPU.  Helpful for monitoring collector performance and resource planning
    • Maintenance button added to subscriptions of load balanced distributed subscriptions so you can maintain them on demand
    • Enhanced custom event log creation
  • LOGbinder for SharePoint 7.0.1
    • Filter events based on site
    • Error handling improved to make the service more resilient
    • Performance enhancements to speed up processing
    • Noise filtering 
    • Support for the latest versions of SharePoint
  • LOGbinder for SQL Server 5.0.1
    • Enhanced error handling
  • LOGbinder for Exchange 4.0.1
    • Redesign of mailbox audit configuration wizard
    • Coded workarounds for the "Too many audit requests" Exchange issue
    • Performance enhancements to speed up processing
    • "Apply Now" option for instantly applying the audit wizard configuration​

If you're already familiar with WEC or just learning, you'll want to view Randy Franklin Smith's recent webinar on WECBuilding a Resilient Logging Pipeline: Windows Event Collection Tips and Tricks for When You Are Serious About Log Collection.

Get instant pricing for Supercharger and our LOGbinder for SharePoint/SQL/Exchange products here:  Instant Quotes  

Over the past few months we've been listening to you.  Most of the enhancements and bug fixes in our latest releases are because of you.  The feedback and suggestions on our forum and support portal have helped us continue to improve our products.

If you are already a licensed user of our products and have a current support contract, then upgrading is easy.  Just find the product you need to upgrade on our download page.  Download the installer you need and just install on top of your current installation.  You will most likely need to request an updated product key at support.logbinder.com.  If you are upgrading Supercharger you just need to upgrade the manager.  All the collectors will upgrade themselves.

Thanks again for your support and I look forward to your feedback.

Randy Franklin Smith


Least Privilege Workaround for SQL DB Access

Sat, 08 Dec 2018 10:21:56 GMT
In the past we have explained how LOGbinder for SharePoint uses SQL privileges. We also informed you about the unfortunate workaround of giving dbo access to certain DB's in SQL in the sporadic cases when the SharePoint API interferes with access to the databases. 

This was never a "workaround" that we were really happy with.  Giving dbo access is not only like giving the bank the title to your home as collateral for the mortgage but also giving them a letter that says "Stop by anytime you want and while you're here feel free to repaint the walls and help yourself to the scotch in the pantry."

Thankfully, we have found a proper workaround that does not require dbo access.  There is a role on the SharePoint SQL DB's named "SPDataAccess".  We have found that giving the service account this role grants enough access for LOGbinder for SharePoint to function properly.  Again we would like to specify that this is not the standard configuration needed with LOGbinder for SharePoint.  This is only used in the rare situations when the SharePoint API is giving issues with DB access.  For most of our customers the permissions set within SharePoint itself for the service account is all that is needed. 

There are two ways to give the service account this role.  One is using the SharePoint Management Shell and the other is directly in SQL (in our example below using SSMS). 

Our preferred method is making the changes directly in SQL.  We noticed that when using the SP Management Shell an extra role is given.  We also noticed that this is not always the case as well.  Sometimes the extra role is given and sometimes it is not.  Why?  We don't know.  Maybe it's a hidden Microsoft feature.

Here is how to make the changes using SSMS.

1. In SSMS add your service account as a login.


2. Open the logins properties and locate the three databases that your SharePoint farm is using for the Admin Content, Configuartion and WSS Content databases..  In this instance we have SharePoint_AdminContent(GUID), SharePoint_Config2019 and WSS_Content(GUID). 


3. For each database map the SPDataAccess role to the login.  You will notice that for the WSS_Content db, after saving the role change SSMS also grants the PSDataAccess and the PSReportingSchemaAdmin role.  If you have more than one content db, then you will have to perform these steps on all applicable db's with the WSS_Content prefix.  For more information on how to set SPDataAccess on a large number of content databases, click here.


You can also perform the steps above with a simple cmdlet using the SharePoint Management Shell.  Run the following cmdlet:

Get-SPContentDatabase | Add-SPShellAdmin -UserName domain\ServiceAccount

So in our example below we ran "Get-SPContentDatabase | Add-SPShellAdmin -UserName lab\sp2019srvacct".  Notice that doing this grants an additional role on all three databases; the SharePoint_Shell_Access role. As security experts our recommendation is obviously whichever process results in the least privilege needed to get the job done which, in this case, is making the changes via SSMS.


What does the SPDataAccess role allow?  According to TechNet, the SP_DATA_ACCESS role will have the following permissions:

  • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
  • Grant SELECT on all SharePoint tables
  • Grant EXECUTE on User-defined type where schema is dbo
  • Grant INSERT on AllUserDataJunctions table
  • Grant UPDATE on Sites view
  • Grant UPDATE on UserData view
  • Grant UPDATE on AllUserData table
  • Grant INSERT and DELETE on NameValuePair tables
  • Grant create table permission
Reference:  TechNet

October 2016 LOGbinder Newsletter: New version of LOGbinder for SharePoint

Mon, 31 Oct 2016 14:05:41 GMT

One of our team members was recently reminiscing about a past IT career and how at their organization SharePoint was a document storage facility hosting timesheets, resumes and the weeks’ cafeteria menu.  Years later, SharePoint has become a widely-used workflow platform for critical business processes and a clearing house for sensitive unstructured data.

Over the years, as we have had more interactions with our customers and audience, we have become convinced that SharePoint security auditing is a requirement for the millions of SharePoint customers around the world.  It seems that on a monthly and weekly basis we are hearing reports of more information leaks and data thefts.  You need the ability to open up closed applications like SharePoint and Exchange and see who’s doing what.

In May 2016 Microsoft released SharePoint 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of SharePoint auditing to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SharePoint to make sure that our software continues to meet and exceed our internal standards.

What is new in LOGbinder for SharePoint 2016?

  1. Support for SharePoint 2016 On-Premises
  2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
  3. Improved service resilience – A few customers have reported to us that from time to time the LOGbinder service is stopped.  The detailed service logs showed that delays between SharePoint and the farms’ SQL Server were causing timeouts. These timeouts were being reported by SharePoint and were long enough to negatively impact the LOGbinder service.  Now the LOGbinder service will handle these interruptions with less impact.
  4. Weird username prefixes removal – Some customers were wondering why they are seeing weird characters prefixing usernames in the logs.  You can find more info about it here.  We have included an option to remove the claim type characters from the data.
  5. Site collection selection – Managing a handful of site collections is easy.  Some customers though have thousands and thousands of site collections being monitor.  Now you can use CTRL-A to select all site collections in the LOGbinder input.

These are just a few of the improvements in this release of LOGbinder for SharePoint.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

·         Release notes

·         Download

·         Getting Started Guide

·         Support



LOGbinder for SharePoint Restricted Lookups Option

Wed, 06 Jul 2016 14:55:50 GMT

LOGbinder for SharePoint by default makes every effort to fully translate and enrich SharePoint audit events through so called "lookups" where-in LOGbinder makes extra queries to SharePoint to obtain this information.  But there is a cost/benefit relationship to be considered.  Some events in the native SharePoint audit log include fields that are of low or no value to end users at many organizations.  Each field in the native log, including these low or no value fields, requires a lookup by LOGbinder to resolve the native SharePoint data in to user friendly data.  

For example, below is a sample of LOGbinder for SharePoint event ID 13: 

Document checked in
Occurred: 6/25/2016 1:13:04 PM
Site: http://sp2010-sp
User: Administrator
Object
  URL: Shared Documents/FinancialData.xlsx
  Title: n/a
  Version: 1.0 

As you can see in the above event, the “Title” field returned from SharePoint is “n/a”.  This is obviously of no value to the end user.  Since SharePoint includes these low/no value fields, LOGbinder for SharePoint includes an option to intelligently restrict the number of lookups it processes resulting in increased performance of LOGbinder.  You can manage the amount of SharePoint lookups by opening the LOGbinder Control Panel selecting File and then Options.  The amount of lookups performed by LOGbinder can be customized by choosing a value under “Amount of SharePoint lookups.”  See figure 1 below.

 
Figure 1: Managing the amount of SharePoint lookups

The fields that are affected (with the exception of the “Restrict all lookups option”) are all child fields of the targeted object.  “URL” is the most important field included in the events and that field is always reported except on some permission change events and only if the “Exclude high/medium-cost” option is selected. 

Most organizations who need to speed up LOGbinder can safely use the “Exclude high-cost lookups” option without losing significant audit information.  Please note that the “Exclude high/medium-cost” option does adversely impact permission change events. 

We have created a document that explains outlines which fields are affected depending on which option is selected when managing the amount of SharePoint lookups.  You can find a link to the document on the LOGbinder for SharePoint resources page or by clicking here.


December 2014 LOGbinder Newsletter: QRadar fully supports Exchange, SharePoint and SQL Server audit; Tech resources for security analysts

Fri, 19 Dec 2014 20:59:06 GMT

So far, 2014 has been a great year for application security intelligence. All the major SIEM providers offered new or additional integrations for LOGbinder. Hundreds more organizations deployed LOGbinder for their SIEM and many of them received significant features and updates from prior versions. We're thrilled with the results and hope you are too!

We are very excited to let you know that IBM Security's QRadar product team produced DSM integrations with all 3 LOGbinder products. This brings Exchange, SharePoint and SQL Server security audit logs to the QRadar-based SOC. In addition to the Device Support Module (DSM) support, LOGbinder has also received LEEF certification. The implications are huge. Now QRadar customers can consume critical security audit logs from their enterprise applications with minimal setup and configuration. LOGbinder collects, translates and delivers the audit information via LEEF-certified output. QRadar consumes that information and allows analysts to easily prioritize and present critical security correlations where, when and to whom it matters most.

To get the IBM Security QRadar DSM Configuration for Exchange, SharePoint and SQL Server, click the following links:

Curious about what SIEM solutions have solid Exchange, SharePoint and SQL Server security audit capability? More news is coming next month, but the full list is AccelOps, AlertLogic, AlienVault, Blue Lance, EventTracker, GFI EventsManager, IBM Security QRadar, HP ArcSight, LogPoint, LogRhythm, McAfee ESM (formerly Nitro), RSA Security Analytics (formerly enVision), Solarwinds LEM and Splunk.

What's coming with LOGbinder EX

Exchange audit is increasingly critical to security analysts. This means the demands on LOGbinder EX have increased too. Our development team has responded with new features, now in our labs for testing, to help security analysts dial-in on the new pain-points and remove them. Now, directly from the LOGbinder interface, security analysts can configure mailbox audit policy and autofill the PowerShell and Exchange server URL fields. These changes offer more than merely convenience. These new features allow far better mailbox “on-boarding” (and whatever the opposite of that is). And it makes it easier for security analysts to do their job; no more slow dances or hat-in-hand sessions with the Exchange admin(s).

Quick reference guide to security audit resources

This year LOGbinder sponsored Ultimate Windows Security webinars that many of you attended. Thank you! These webinar recordings still pack a punch with great information. So you will have these links in once place, we list them below. (You can still get the recordings. They're free.)

LOGbinder's core competence is application security audit technology for SIEMs. Not blog writing. But every now and then we fuse the use-case and technical know-how into a blog post. There's some good stuff there:

Thank you for your support. We'll catch up next year.


previous | next

powered by Bloget™