Timely removal of the audit log from the monitored
environment is absolutely critical. Thanks to a diligent customer’s incredible
level of testing we discovered something that jeopardizes that timely removal
of Exchange audit data. We think everybody should know about this topic so we
are sponsoring, this week, a special webinar about Exchange mailbox auditing. Every
security analyst and sysadmin of Exchange organizations should plan to attend in-person,
or at least register to get the recording.
The background is that of course, without help, your SIEM
can’t tell you that someone other than the CEO is reading his or her mailbox.
This is a blind spot no SIEM can afford to ignore and so the solution is a
programmatic means for retrieving and delivering those logs, LOGbinder for
Exchange.
However, and this is the important part, LOGbinder’s support
and development team investigated and reported what Microsoft later confirmed was
a bug: the PowerShell cmdlet used for programmatic
mailbox audit search has a flaw that produces inconsistent audit results if
used to retrieve audit logs in less than 24 hours.
We informed Microsoft of our findings and they confirmed the
bug after their own investigation. They also told us they had no timeline to
fix the bug and suggested that users simply request audit logs some twenty-four hours after the event took place.
We will continue to work with Microsoft on this issue and hope they do resolve
it.
A delay of 24 hours
is 24 hours too much. Added to that, the Exchange mailbox audit bug fix may
be a long time in coming from Microsoft, if it ever does.
In last week’s webinar we showed you what we have done
with LOGbinder to ensure complete audit results. And you will have an
opportunity to register for a beta edition of LOGbinder for Exchange that
offers a new feature to effectively remove the issue for high-priority
mailboxes.
We urge you to view this special webinar Detect
and monitor threats to your executive mailboxes with Exchange Server mailbox
auditing. Click the
links below to read the webinar abstract and to register for the recorded version and slide deck.
Click to register
for the recorded version.
All registrations are free.