In June 2016 Microsoft released SQL Server 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of this latest version of SQL Server and its new auditing features to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SQL Server to make sure that our software continues to meet and exceed our internal standards.

With the release of SQL Server 2016 came not only many new features but also some new audit events. These include audit events related to committing and rollback of transactions, handling master keys, column encryption keys, database scoped credentials, as well as events related to external data sources (think, for example, Hadoop), external file formats and external resource pools.

LOGbinder for SQL Server 3.0 includes the ability to handle these new events as well as many other improvements. Here are some of the highlights:

One of our team members was recently reminiscing about a past IT career and how at their organization SharePoint was a document storage facility hosting timesheets, resumes and the weeks’ cafeteria menu.  Years later, SharePoint has become a widely-used workflow platform for critical business processes and a clearing house for sensitive unstructured data.

Over the years, as we have had more interactions with our customers and audience, we have become convinced that SharePoint security auditing is a requirement for the millions of SharePoint customers around the world.  It seems that on a monthly and weekly basis we are hearing reports of more information leaks and data thefts.  You need the ability to open up closed applications like SharePoint and Exchange and see who’s doing what.

In May 2016 Microsoft released SharePoint 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of SharePoint auditing to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SharePoint to make sure that our software continues to meet and exceed our internal standards.

What is new in LOGbinder for SharePoint 2016?

1. Support for SharePoint 2016 On-Premises
2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
3. Improved service resilience – A few customers have reported to us that from time to time the LOGbinder service is stopped.  The detailed service logs showed that delays between SharePoint and the farms’ SQL Server were causing timeouts. These timeouts were being reported by SharePoint and were long enough to negatively impact the LOGbinder service.  Now the LOGbinder service will handle these interruptions with less impact.
4. Weird username prefixes removal – Some customers were wondering why they are seeing weird characters prefixing usernames in the logs.  You can find more info about it here.  We have included an option to remove the claim type characters from the data.
5. Site collection selection – Managing a handful of site collections is easy.  Some customers though have thousands and thousands of site collections being monitor.  Now you can use CTRL-A to select all site collections in the LOGbinder input.

These are just a few of the improvements in this release of LOGbinder for SharePoint.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

·         Release notes

·         Download

·         Getting Started Guide

·         Support

So far, 2014 has been a great year for application security intelligence. All the major SIEM providers offered new or additional integrations for LOGbinder. Hundreds more organizations deployed LOGbinder for their SIEM and many of them received significant features and updates from prior versions. We're thrilled with the results and hope you are too!

We are very excited to let you know that IBM Security's QRadar product team produced DSM integrations with all 3 LOGbinder products. This brings Exchange, SharePoint and SQL Server security audit logs to the QRadar-based SOC. In addition to the Device Support Module (DSM) support, LOGbinder has also received LEEF certification. The implications are huge. Now QRadar customers can consume critical security audit logs from their enterprise applications with minimal setup and configuration. LOGbinder collects, translates and delivers the audit information via LEEF-certified output. QRadar consumes that information and allows analysts to easily prioritize and present critical security correlations where, when and to whom it matters most.

To get the IBM Security QRadar DSM Configuration for Exchange, SharePoint and SQL Server, click the following links:

• LOGbinder EX QRadar DSM Configuration
• LOGbinder SP QRadar DSM Configuration
• LOGbinder SQL QRadar DSM Configuration

Curious about what SIEM solutions have solid Exchange, SharePoint and SQL Server security audit capability? More news is coming next month, but the full list is AccelOps, AlertLogic, AlienVault, Blue Lance, EventTracker, GFI EventsManager, IBM Security QRadar, HP ArcSight, LogPoint, LogRhythm, McAfee ESM (formerly Nitro), RSA Security Analytics (formerly enVision), Solarwinds LEM and Splunk.

What's coming with LOGbinder EX

Exchange audit is increasingly critical to security analysts. This means the demands on LOGbinder EX have increased too. Our development team has responded with new features, now in our labs for testing, to help security analysts dial-in on the new pain-points and remove them. Now, directly from the LOGbinder interface, security analysts can configure mailbox audit policy and autofill the PowerShell and Exchange server URL fields. These changes offer more than merely convenience. These new features allow far better mailbox “on-boarding” (and whatever the opposite of that is). And it makes it easier for security analysts to do their job; no more slow dances or hat-in-hand sessions with the Exchange admin(s).

Quick reference guide to security audit resources

This year LOGbinder sponsored Ultimate Windows Security webinars that many of you attended. Thank you! These webinar recordings still pack a punch with great information. So you will have these links in once place, we list them below. (You can still get the recordings. They're free.)

• Application Security Intelligence: The Next Frontier in Security Analytics
• Detecting Information Grabs of Confidential Documents in SharePoint
• Options for Monitoring SQL Server with your SIEM

LOGbinder's core competence is application security audit technology for SIEMs. Not blog writing. But every now and then we fuse the use-case and technical know-how into a blog post. There's some good stuff there:

• SQL Trace to SQL Audit. Discussion and links to more details in a white paper.
• Understanding and Changing Exchange audit poll interval. Exchange takes its own sweet time to return audit results, but you can speed it up.
• SQL Server audit support -- which version makes it available? Lots of organizations need to first determine if the superior SQL Server audit function is available.
• LOGbinder SP and elevated SQL Privileges
• LOGbinder newsletters. Tech tips, product updates, SIEM news, notes from the field.

Thank you for your support. We'll catch up next year.

Is Windows Event Collection a problem for you? We hear (a lot) that organizations struggle with collecting Windows Events. It’s not that their SIEM struggles, but rather there is a gap in the technology to deliver Windows Event Collection (WEC) data from hundreds or thousands of machines to SIEM at sufficient speed.

We like to solve problems yet to be solved, and therefore would love to hear from you about your experience with WEC. Would it help you to have a LOGbinder for Windows that could deliver relevant security events to your SIEM? If so, what SIEM do you use?

This issue strikes at the very heart of our core belief that important security event information should be in the SIEM. We love SIEMs and we love solving the little problems so the SIEMs and their security analysts can pay attention to the big stuff.

What your SIEM doesn’t know about endpoints can kill you. If your SIEM (or your security analysts) don’t have the security event information from all those Windows machines in the organization in a timely manner – whether they are remotely connected or not – and if that’s a big problem for you, please tell us. If it’s not a problem, please tell us that, too, and also which SIEM you use. We’ll share that with our audience.

This brings us to another topic related to what SIEMs do (and don’t do).

It’s not your SIEM’s fault that it can’t consume audit logs from Exchange, SharePoint, SQL Server or even SAP via normal collection means. No SIEM can do this. Sometimes people forget that a SIEM’s job is to provide the analysis tools; it’s not the SIEM’s job to change hats and perform ad hoc coding to address all the different application audit log frameworks. For that, you need the insight and best effort from a subject matter expert focused on getting the information to a SIEM. Which is exactly where LOGbinder came from, the insight and effort of an application security subject matter expert.

Tech Tip: Manage the audit performance by tweaking the amount of excess information attached to the audit

One of the new features of LOGbinder SP 5.0 is the ability to dial-back internal processing to tweak audit performance.  LOGbinder SP allows the control of how many lookups it should perform in order to obtain additional information while translating raw audit events to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. We include recommendations to help guide you in our LOGbinder SP Getting Started Guide. See pages 8 and 9 for details.

It’s Renewal Time

For many of you, this month is the month to renew your support and maintenance contract. There are good reasons for doing so. For one thing you fix your support costs and get help immediately. For another, you have access to software updates at no additional cost. This year has seen major updates to LOGbinder software and we’re not done yet. We expect to release automatic mailbox audit policy management for Exchange from within the LOGbinder EX application! This is a huge advance, for not just LOGbinder EX but for Exchange Auditing in general, and customers who are current with their support and maintenance contract get it for no additional money.

Where to find information about LOGbinder events

Every month we answer about 150,000 questions about events. But where do you go if you have a specific question about an event reported by LOGbinder? Some of our SIEM Synergy partners have collaborated with us to provide a hyperlink within their application to take you directly to the relevant event ID page. So when you see an event you wish to research, clicking on the hyperlinked Event ID will take you directly to the details page on Ultimate Windows Security’s Online Encyclopedia.

But what if your SIEM doesn’t have a hyperlink to the right page? You can still get the information by browsing to UltimateWindowsSecurity.com and clicking on Security, then Encyclopedia. (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx) Once there, select the source of the event (All Sources, Windows Audit, SharePoint Audit, SQL Server Audit or Exchange Audit). If you want to narrow the list use the drop-down box on the right, else browse the list of events and click on the appropriate one to get the full details. We list the events in numerical order, so they’re easy to find. (By the way, when you get a chance, send a note to your SIEM’s product manager to ask them to finish their integration so you can save yourself the trouble next time when you need the event information.)

If you still can’t find your answer there then click on the blue “Ask a question about this event” button and post your question in the Ultimate Windows Security forum.  LOGbinder is now sponsoring an Exchange, SQL and SharePoint forum there and you can expect a quick response from one of our technical engineers. 

Tech Tip: How to find the status of Exchange Server 2013 audit log requests

Exchange Server’s audit function is asynchronous. Which makes sense for Exchange but causes security analysts heartburn who have to “wait in faith”. The good news is that you can see the status of those audit requests via a PowerShell cmdlet, but the bad news is that only Exchange 2013 supports it. In Exchange 2013, you can retrieve a list of current audit log searches with the Get-AuditLogSearch cmdlet.

For more tips on application security intelligence, be sure to watch our blog updates at www.logbinder.com/Blog and sign up for the Real Training for Free™ webinars at Ultimate Windows Security’s web site.

Remember when we said that we loved feedback and wanted to hear from you about the pain points? Here's an example of what we try to do when you send us that feedback. We got a call from a LOGbinder SQL customer with a production environment problem that didn't show up during his evaluation in a test environment. While diagnosing the problem (it turned out to be a GPO issue at the customer's location) we saw that the input window was too narrow to display all of the long file name, which was a major pain. Our development team made the correction to the source code and we got the new bits to the customer that same day! The customer was happy, and the developers got the satisfaction of delivering a solution that made a real difference.