LOGbinder Blog

Updates, Tips and News   RSS Feed  

Support for Exchange 2016 Auditing; New Features in LOGbinder for SQL Server

Wed, 15 Aug 2018 11:38:50 GMT

Exchange 2016 support

We are happy to announce support for Exchange 2016. Now you may be thinking 2016; wasn't that years ago?  It's true, Exchange 2016 was released in 2015 but because of a bug that seemed to have been introduced with the 2016 version, LOGbinder was not able to support it.  At the time we discovered it almost two years ago, we worked with Microsoft to confirm this behavior. This is what Microsoft said at that time:

  • The issue is caused due to limit of 100 search folders in particular mailbox. Before any new search can start, the old search folder has to age out and needs to be cleared. If this does not happen then it would fail.
  • We cannot modify these search folder limits, as it is by design.
  • We also found that it would take approx. 12hrs to reset the search folders count. So that we can run new query.

The above limitations posed such restrictions on the auditing capabilities of Exchange, that LOGbinder was not able to support Exchange 2016 at that time.

Our latest tests reveal that this has since been resolved and the above limitations have been removed in the latest cumulative updates. We have confirmed this to be true starting with CU6.

Therefore, LOGbinder now fully supports Exchange 2016 CU6+.

You can download LOGbinder for Exchange from our website and start auditing your Exchange environment.

SQL Server 2017

Microsoft released SQL Server 2017 and along with it they introduced new audit events. We have included these events in the latest LOGbinder for SQL Server version, adding events 24338-24348 and 24350-24375. These events are related to permissions on database scoped credentials and external libraries, and creating and dropping external libraries and database scoped resource governors, among some other events.

Additional new features in version 4:

  • Adding inputs in bulk from a CSV file. 
    • This is useful for users who have dozens or more inputs.  These inputs can now be added all at once instead of one by one.
  • As a counterpart to adding inputs in bulk, selecting and deleting multiple inputs is now also enabled.
  • Improve resilience by not stopping the service if one of the inputs is temporarily unavailable
    • This means that if there are many inputs monitored by LOGbinder for SQL Server and one or more of them is temporarily down or inaccessible, auditing will continue uninterrupted for the rest of the inputs.  For the unavailable inputs a warning will be generated and sent to the output.

Please download LOGbinder for SQL Server version 4.0 from our website to start auditing your SQL Server 2017.

After downloading LOGbinder for SQL Server version 4, if you have a current active support and maintenance license, you will have to request a new license key by opening a ticket at the https://support.logbinder.com site. If you do not currently own a license, please contact sales at LOGbinder for a quote.


How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and the New Splunk App for LOGbinder

Fri, 02 Jun 2017 13:35:28 GMT
No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory.  There are awesome Active Directory audit solutions out there.  And ideally you are using one of them.  But if for whatever reason you can’t, you still have AD and it still needs to be monitored.  This solution helps you do just that.  

Yesterday during Randy Franklin Smith’s webinar: How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and My New Splunk App we released a version of our Splunk App for LOGbinder.  Not only is this application free, but with the help of our just announced free edition of Supercharger for Windows Event Collection, we demonstrate the power of WEC’s Xpath filtering to deliver just the relevant events to Splunk Free and stay within the 500MB daily limit of Splunk Light’s free limitations.  It’s a trifecta free tools that produces this:
 

Among other abilities, our new Splunk App puts our deep knowledge of the Windows Security Log to work by analyzing events to provide an easy to use but powerful dashboard of changes in Active Directory.  You can see what’s been changing in AD sliced up

by object type (users, groups, GPOs, etc)
by domain
by time
by administrator

Too many times we see dashboards that showcase the biggest and highest frequency actors and subjects but get real – most of the time what you are looking for is the needle – not the haystack.  So we show the smallest, least frequent actors and objects too.  


 
Just because it’s free doesn’t mean it’s low value.  We put some real work into this.  We always learn something new about or own little AD lab environment when we bring this app up.  To make this app work we had to make some improvements to how Splunk parses Windows Security Events.  The problem with stuff built by non-specialists is that it suffices for filling in a bullet point like “native parsing of Windows Security Logs” but doesn’t come through when you get serious about analysis.  Case-in-point: Splunk treats these 2 very different fields in the below event as one:


 
As you can see rsmith created the new user cmartin.  But checkout what Splunk does with that event:


Whoah! So there’s no different between the actor and the target of a critical event like a new account being created?  One Splunker tells me they have dealt with this issue by ordinal position but we are frightened that actor and target could switch positions.  Anyway, it’s ugly.  Here’s what the same vent looks like once you install our Splunk App:


That’s what we’re talking about! Hey, executives may say that’s just the weeds but we know that with security the devil is in the details.  

Now, you knowledgeable Splunkers out there are probably wondering if we get these events by defining them at index time.  And the answer is “no”.  Randy provided the Windows Security Log brains but we got a real Splunker to build the app and you’ll be happy to know that Imre defined these new fields as search time fields.  So this works on old events already indexed and more importantly doesn’t impact indexing.  We tried to do this right.

Plus, we made sure this app works whether you consume events directly from the Security log each computer or via Windows Event Collection (which is what we recommend with the help of Supercharger). 
 
To learn more about the over all solution please watch the webinar which is available on demand at https://www.ultimatewindowssecurity.com/webinars/watch.aspx?ID=1439

For those of you new to Splunk, we’ll quickly show you how to install Splunk Free and our Splunk App.  Then we’ll show you how in 5 minutes or our free edition of Supercharger for Windows Event Collection can have your domain controllers efficiently forwarding just the relative trickle of relevant change events to Splunk.  Then we’ll start rendering some beautiful dashboards and drilling down into those events.  We will briefly show you how this same Splunk app can also analyze SharePoint, SQL Server and Exchange security activity produced by our LOGbinder product and mix all of that activity with AD changes and plot it on a single pane of glass.

Or checkout the solution page at https://www.logbinder.com/Solutions/ActiveDirectory where there are links to the step-by-step directions.

And if you are already proficient with Splunk and collecting domain controller logs you can get the Splunk app at https://www.logbinder.com/Resources/ and look under SIEM Integration.  

For technical support please use the appropriate forum at forum.logbinder.com 

December 2016 LOGbinder Newsletter: New version of LOGbinder for SQL Server

Fri, 23 Dec 2016 10:48:01 GMT
In June 2016 Microsoft released SQL Server 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of this latest version of SQL Server and its new auditing features to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SQL Server to make sure that our software continues to meet and exceed our internal standards.

With the release of SQL Server 2016 came not only many new features but also some new audit events. These include audit events related to committing and rollback of transactions, handling master keys, column encryption keys, database scoped credentials, as well as events related to external data sources (think, for example, Hadoop), external file formats and external resource pools.

LOGbinder for SQL Server 3.0 includes the ability to handle these new events as well as many other improvements. Here are some of the highlights:

  1. Support for SQL Server 2016
  2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
  3. Improved service resilience – We have improved on the delay that was reported by some customer when restarting/starting/stopping the service.
  4. Purge processed files - We have added a new option to purge SQL audit files that are no longer being used by SQL Server and have already been processed by LOGbinder.
  5. Enhanced application activity events - Information events written to the Windows Application log now include statistics including entries exported, elapsed processing time and events per second (EPS).

These are just a few of the improvements in this release of LOGbinder for SQL Server. For full details, check the release notes below.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

Thank you for your hard work in protecting sensitive information, and thank you for your support!


October 2016 LOGbinder Newsletter: New version of LOGbinder for SharePoint

Mon, 31 Oct 2016 14:05:41 GMT

One of our team members was recently reminiscing about a past IT career and how at their organization SharePoint was a document storage facility hosting timesheets, resumes and the weeks’ cafeteria menu.  Years later, SharePoint has become a widely-used workflow platform for critical business processes and a clearing house for sensitive unstructured data.

Over the years, as we have had more interactions with our customers and audience, we have become convinced that SharePoint security auditing is a requirement for the millions of SharePoint customers around the world.  It seems that on a monthly and weekly basis we are hearing reports of more information leaks and data thefts.  You need the ability to open up closed applications like SharePoint and Exchange and see who’s doing what.

In May 2016 Microsoft released SharePoint 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of SharePoint auditing to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SharePoint to make sure that our software continues to meet and exceed our internal standards.

What is new in LOGbinder for SharePoint 2016?

  1. Support for SharePoint 2016 On-Premises
  2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
  3. Improved service resilience – A few customers have reported to us that from time to time the LOGbinder service is stopped.  The detailed service logs showed that delays between SharePoint and the farms’ SQL Server were causing timeouts. These timeouts were being reported by SharePoint and were long enough to negatively impact the LOGbinder service.  Now the LOGbinder service will handle these interruptions with less impact.
  4. Weird username prefixes removal – Some customers were wondering why they are seeing weird characters prefixing usernames in the logs.  You can find more info about it here.  We have included an option to remove the claim type characters from the data.
  5. Site collection selection – Managing a handful of site collections is easy.  Some customers though have thousands and thousands of site collections being monitor.  Now you can use CTRL-A to select all site collections in the LOGbinder input.

These are just a few of the improvements in this release of LOGbinder for SharePoint.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

·         Release notes

·         Download

·         Getting Started Guide

·         Support



December 2014 LOGbinder Newsletter: QRadar fully supports Exchange, SharePoint and SQL Server audit; Tech resources for security analysts

Fri, 19 Dec 2014 20:59:06 GMT

So far, 2014 has been a great year for application security intelligence. All the major SIEM providers offered new or additional integrations for LOGbinder. Hundreds more organizations deployed LOGbinder for their SIEM and many of them received significant features and updates from prior versions. We're thrilled with the results and hope you are too!

We are very excited to let you know that IBM Security's QRadar product team produced DSM integrations with all 3 LOGbinder products. This brings Exchange, SharePoint and SQL Server security audit logs to the QRadar-based SOC. In addition to the Device Support Module (DSM) support, LOGbinder has also received LEEF certification. The implications are huge. Now QRadar customers can consume critical security audit logs from their enterprise applications with minimal setup and configuration. LOGbinder collects, translates and delivers the audit information via LEEF-certified output. QRadar consumes that information and allows analysts to easily prioritize and present critical security correlations where, when and to whom it matters most.

To get the IBM Security QRadar DSM Configuration for Exchange, SharePoint and SQL Server, click the following links:

Curious about what SIEM solutions have solid Exchange, SharePoint and SQL Server security audit capability? More news is coming next month, but the full list is AccelOps, AlertLogic, AlienVault, Blue Lance, EventTracker, GFI EventsManager, IBM Security QRadar, HP ArcSight, LogPoint, LogRhythm, McAfee ESM (formerly Nitro), RSA Security Analytics (formerly enVision), Solarwinds LEM and Splunk.

What's coming with LOGbinder EX

Exchange audit is increasingly critical to security analysts. This means the demands on LOGbinder EX have increased too. Our development team has responded with new features, now in our labs for testing, to help security analysts dial-in on the new pain-points and remove them. Now, directly from the LOGbinder interface, security analysts can configure mailbox audit policy and autofill the PowerShell and Exchange server URL fields. These changes offer more than merely convenience. These new features allow far better mailbox “on-boarding” (and whatever the opposite of that is). And it makes it easier for security analysts to do their job; no more slow dances or hat-in-hand sessions with the Exchange admin(s).

Quick reference guide to security audit resources

This year LOGbinder sponsored Ultimate Windows Security webinars that many of you attended. Thank you! These webinar recordings still pack a punch with great information. So you will have these links in once place, we list them below. (You can still get the recordings. They're free.)

LOGbinder's core competence is application security audit technology for SIEMs. Not blog writing. But every now and then we fuse the use-case and technical know-how into a blog post. There's some good stuff there:

Thank you for your support. We'll catch up next year.


previous | next

powered by Bloget™