LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  The 24-hour Bug in Micros... | LOGbinder for Exchange 3.... »

Recently exposed Exchange mailbox audit bug and what can be done to overcome it

Mon, 07 Dec 2015 17:21:29 GMT

Timely removal of the audit log from the monitored environment is absolutely critical. Thanks to a diligent customer’s incredible level of testing we discovered something that jeopardizes that timely removal of Exchange audit data. We think everybody should know about this topic so we are sponsoring, this week, a special webinar about Exchange mailbox auditing. Every security analyst and sysadmin of Exchange organizations should plan to attend in-person, or at least register to get the recording.

The background is that of course, without help, your SIEM can’t tell you that someone other than the CEO is reading his or her mailbox. This is a blind spot no SIEM can afford to ignore and so the solution is a programmatic means for retrieving and delivering those logs, LOGbinder for Exchange.

However, and this is the important part, LOGbinder’s support and development team investigated and reported what Microsoft later confirmed was a bug: the PowerShell cmdlet used for programmatic mailbox audit search has a flaw that produces inconsistent audit results if used to retrieve audit logs in less than 24 hours.

We informed Microsoft of our findings and they confirmed the bug after their own investigation. They also told us they had no timeline to fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place. We will continue to work with Microsoft on this issue and hope they do resolve it.

A delay of 24 hours is 24 hours too much. Added to that, the Exchange mailbox audit bug fix may be a long time in coming from Microsoft, if it ever does.

In last week’s webinar we showed you what we have done with LOGbinder to ensure complete audit results. And you will have an opportunity to register for a beta edition of LOGbinder for Exchange that offers a new feature to effectively remove the issue for high-priority mailboxes.

We urge you to view this special webinar Detect and monitor threats to your executive mailboxes with Exchange Server mailbox auditing. Click the links below to read the webinar abstract and to register for the recorded version and slide deck.

Click to register for the recorded version.

All registrations are free.

Comments disabled

powered by Bloget™