Is Windows Event Collection a problem for you? We hear (a lot) that
organizations struggle with collecting Windows Events. It’s not that their SIEM
struggles, but rather there is a gap in the technology to deliver Windows Event
Collection (WEC) data from hundreds or thousands of machines to SIEM at
sufficient speed.
We like to solve problems yet to be solved, and
therefore would love to hear from you about your experience with WEC. Would it
help you to have a LOGbinder for Windows
that could deliver relevant security events to your SIEM? If so, what SIEM do
you use?
This issue strikes at the very heart of our core belief that
important security event information
should be in the SIEM. We love SIEMs and we love solving the little
problems so the SIEMs and their security analysts can pay attention to the big
stuff.
What your SIEM doesn’t know about endpoints can kill you. If
your SIEM (or your security analysts) don’t have the security event information
from all those Windows machines in the organization in a timely manner –
whether they are remotely connected or not – and if that’s a big problem for
you, please tell us. If it’s not a problem, please tell us that, too, and also which
SIEM you use. We’ll share that with our audience.
This brings us to another topic related to what SIEMs do
(and don’t do).
It’s not your SIEM’s
fault that it can’t consume audit logs from Exchange, SharePoint, SQL Server or
even SAP via normal collection means. No SIEM can do this. Sometimes people
forget that a SIEM’s job is to provide the analysis tools; it’s not the SIEM’s
job to change hats and perform ad hoc coding to address all the different application
audit log frameworks. For that, you need the insight and best effort from a
subject matter expert focused on getting the information to a SIEM. Which is
exactly where LOGbinder came from, the insight and effort of an application security subject
matter expert.
Tech Tip: Manage the audit performance by tweaking the amount of
excess information attached to the audit
One of the new features of LOGbinder SP 5.0 is the ability
to dial-back internal processing to tweak audit performance. LOGbinder SP allows the control of how many
lookups it should perform in order to obtain additional information while
translating raw audit events to easy-to-understand audit entries. Examples of
this could be resolving a user ID to user name or an object GUID to the actual
name of the object. We include recommendations to help guide you in our LOGbinder SP Getting Started Guide. See pages 8 and 9 for
details.
It’s Renewal Time
For many of you, this month is the month to renew your
support and maintenance contract. There are good reasons for doing so. For one
thing you fix your support costs and get help immediately. For another, you
have access to software updates at no additional cost. This year has seen major
updates to LOGbinder software and we’re not done yet. We expect to release automatic mailbox audit policy management
for Exchange from within the LOGbinder EX application! This is a huge
advance, for not just LOGbinder EX but for Exchange Auditing in general, and
customers who are current with their support and maintenance contract get it
for no additional money.
Where to find
information about LOGbinder events
Every month we answer about 150,000 questions about events.
But where do you go if you have a specific question about an event reported by
LOGbinder? Some of our SIEM Synergy partners have collaborated with us to
provide a hyperlink within their application to take you directly to the
relevant event ID page. So when you see an event you wish to research, clicking
on the hyperlinked Event ID will take you directly to the details page on
Ultimate Windows Security’s Online Encyclopedia.
But what if your SIEM
doesn’t have a hyperlink to the right page? You can still get the
information by browsing to UltimateWindowsSecurity.com and clicking on
Security, then Encyclopedia. (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx)
Once there, select the source of the event (All Sources, Windows Audit,
SharePoint Audit, SQL Server Audit or Exchange Audit). If you want to narrow
the list use the drop-down box on the right, else browse the list of events and
click on the appropriate one to get the full details. We list the events in
numerical order, so they’re easy to find. (By the way, when you get a chance,
send a note to your SIEM’s product manager to ask them to finish their
integration so you can save yourself the trouble next time when you need the
event information.)
If you still can’t find your answer there then click on the
blue “Ask a question about this event” button and post your question in the Ultimate
Windows Security forum. LOGbinder is now
sponsoring an Exchange, SQL and SharePoint forum there and you can expect a
quick response from one of our technical engineers.
Tech Tip: How to find
the status of Exchange Server 2013 audit log requests
Exchange Server’s audit function is asynchronous. Which
makes sense for Exchange but causes security analysts heartburn who have to “wait
in faith”. The good news is that you can see the status of those audit requests
via a PowerShell cmdlet, but the
bad news is that only Exchange 2013 supports it. In Exchange 2013, you can
retrieve a list of current audit log searches with the Get-AuditLogSearch cmdlet.
For more tips on application security intelligence, be sure
to watch our blog updates at www.logbinder.com/Blog
and sign up for the Real Training for Free™ webinars at
Ultimate Windows Security’s web site.