In conjunction with this release, we have also added a new support section at LOGbinder.com that we will be keeping up-to-date with the latest news, bulletins and features of the entire suite of LOGbinder products.

LOGbinder for SharePoint by default makes every effort to fully translate and enrich SharePoint audit events through so called "lookups" where-in LOGbinder makes extra queries to SharePoint to obtain this information.  But there is a cost/benefit relationship to be considered.  Some events in the native SharePoint audit log include fields that are of low or no value to end users at many organizations.  Each field in the native log, including these low or no value fields, requires a lookup by LOGbinder to resolve the native SharePoint data in to user friendly data.  

For example, below is a sample of LOGbinder for SharePoint event ID 13: 

Document checked in
Occurred: 6/25/2016 1:13:04 PM
Site: http://sp2010-sp
User: Administrator
Object
  URL: Shared Documents/FinancialData.xlsx
  Title: n/a
  Version: 1.0 

As you can see in the above event, the “Title” field returned from SharePoint is “n/a”.  This is obviously of no value to the end user.  Since SharePoint includes these low/no value fields, LOGbinder for SharePoint includes an option to intelligently restrict the number of lookups it processes resulting in increased performance of LOGbinder.  You can manage the amount of SharePoint lookups by opening the LOGbinder Control Panel selecting File and then Options.  The amount of lookups performed by LOGbinder can be customized by choosing a value under “Amount of SharePoint lookups.”  See figure 1 below.

The fields that are affected (with the exception of the “Restrict all lookups option”) are all child fields of the targeted object.  “URL” is the most important field included in the events and that field is always reported except on some permission change events and only if the “Exclude high/medium-cost” option is selected. 

Most organizations who need to speed up LOGbinder can safely use the “Exclude high-cost lookups” option without losing significant audit information.  Please note that the “Exclude high/medium-cost” option does adversely impact permission change events. 

We have created a document that explains outlines which fields are affected depending on which option is selected when managing the amount of SharePoint lookups.  You can find a link to the document on the LOGbinder for SharePoint resources page or by clicking here.

All LOGbinder licenses are perpetual – you pay only once for them. Which is great if you migrate to another SIEM. Because of this, LOGbinder continues to add value to the Security Operations Center long after the purchase.

We get questions from time to time about how our solutions are licensed. The information is posted on our website, but here’s a for quick reference for our current 3 products:

• LOGbinder for Exchange is licensed by the total active mailboxes in the Exchange organization
• LOGbinder for SharePoint is licensed by the total number of servers in the farm
• LOGbinder for SQL Server is licensed by the number of monitored instances

LOGbinder’s license is based on a metric that we can validate programmatically without site audits or a complicated update and upgrade process.

Few things are more important to organizations than monitoring what’s happening to its sensitive information. You should expect a SIEM solution to make it easy for customers to do that and stay up-to-date with that ability.

While most of our readers are familiar with the major SIEM players who work with LOGbinder, many periodically review their SIEM, and still others are looking to deploy one that suits their need.

This week we heard from 2 SIEM product development teams who recently put a lot of work into improving their product to address customers’ application audit needs.

• Intel Security’s McAfee ESM just updated their integration for all 3 LOGbinder solutions. McAfee ESM customers now have seamless access to the security events LOGbinder collects from Exchange, SharePoint and SQL Server. Get more information on the McAfee Enterprise Security Manager web page or download their SIEM Data Source Configuration for LOGbinder (18 March 2016 version).
• Logsign, a SIEM solution based in Turkey, has developed an integration with LOGbinder for SQL Server. They report tremendous customer interest in SQL Server audit logging and recognized LOGbinder’s solution as the best fit. We’re happy to welcome Logsign to our list of SIEM Synergy partners! Read more about Logsign at www.logsign.com.

Please recognize McAfee ESM and Logsign for giving priority to application security audit with LOGbinder integration! We really appreciate the effort, but more important, their customers’ threat intelligence just got better.

There are of course other SIEM providers who put effort into offering their customers LOGbinder integration. Randy Franklin Smith from Ultimate Windows Security has compiled a list of the log management solutions that make it simple and painless to consume Exchange, SharePoint and/or SQL Server audit logs. You can browse his list here: https://www.ultimatewindowssecurity.com/recommended-SIEMs/Default.aspx. Note: the SIEMs who proactively built their own LOGbinder integrations are at the top of the list.

On 10 February 2016 Microsoft posted a notice to remind customers that Exchange is not compatible with the .NET Framework 4.6.1 that was recommended as an update on 9 Feb 2016. In fact, there are known issues if the new version is installed.

The Exchange Team blog post told Exchange customers to delay upgrading to .NET Framework 4.6.1, and updated their post 12 Feb 2016 to provide the steps to roll back to .NET Framework 4.5.2 if the update took place. You can read the post here: http://blogs.technet.com/b/exchange/archive/2016/02/10/on-net-framework-4-6-1-and-exchange-compatibility.aspx.

LOGbinder is targeted to .NET Framework 3.5 for compatibility reasons. Many customers reported issues when we targeted 4.x.