As the dominant messaging platform, Exchange is host to an organization’s greatest
secrets in motion: decisions, marketing plans, customer data… What doesn’t get emailed?
Yet, does your security operations center know when a privileged user downloads
a high-level executive’s mailbox? Will you know if John is spending hours browsing
the CEO’s mailbox? What if encryption keys are exported or security policies are
changed in Exchange? If there’s a security breach or system outage can you trace
back who changed Exchange and when?
The challenge in getting Exchange audit activity to your SIEM.
The good news is that among the many logs Exchange generates, 2 are specifically
audit logs, dedicated to security tracking.
-
Administrator Audit Log
Provides a detailed audit trail of all administrative operations in the Exchange
environment.
-
Mailbox Audit Log
Tracks (primarily non-owner) access to specified mailboxes providing an audit trail
of end-users and administrators who access someone else's mailbox.
But there are several issues that prevent SIEM and Big Data Security Analytics solutions
from collecting Exchange audit logs:
-
Audit logs trapped inside Exchange
Like many other applications, Exchange audit logs are stored in the application itself -
in this case within Exchange mailbox databases along with normal mailbox data. They are
not written to any file system location or to the Windows event log where SIEM solutions
would be able to use normal log collection means.
-
Asynchronous log request management
In order to get the full detail of administrator and mailbox audit logs, you must
periodically request Exchange to produce a log file and then wait an unspecified
period of time for Exchange to email it to you as an attachment. You can access
these logs via the web based Exchange administration center or via an asynchronous
API based in PowerShell. You must request logs regularly so that latency is reduced
and attached log files don’t exceed maximum attachment sizes. And you need
to keep track of which requests Exchange has fulfilled and which are still pending.
-
Cryptic messages hard-to-understand
Both the admin and mailbox audit logs are produced in a cryptic XML format unsuitable
for analysis by human eyes.
Here is an example:
<Event MailboxGuid="87fe4440-ed2a-463e-9834-a070a3f7b865" Owner="Tom Sawyer" LastAccessed="2014-03-03T13:33:49.7298345-05:00" Operation="SendOnBehalf" ItemId="RgAAAADFjf5W2w8LQa+FWUjYyCYYBwBAeQIjM6A5TohDkjHL7Cy3AAAAAAARAABAeQIjM6A5TohDkjHL7Cy3AABaEl61AAAN" ItemSubject="Canceled: Meeting" OperationResult="Succeeded" LogonType="Delegate" ClientInfoString="Client=OWA;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729);" ClientIPAddress="::1" InternalLogonType="Owner" MailboxOwnerUPN="tsawyer@lb.local" MailboxOwnerSid="S-1-5-21-318927112-4139637817-1356824584-1143" LogonUserDisplayName="Huck Finn" LogonUserSid="S-1-5-21-318927112-4139637817-1356824584-1144" OriginatingServer="DEV1 (15.00.0516.025)" />
The Solution.
The Solution: LOGbinder for Exchange - Connecting the Exchange
admin and mailbox audit logs to your SIEM
LOGbinder for Exchange automatically manages the complicated process of requesting audit logs
from Exchange every few minutes, watching for them to arrive by email, downloading
the attachments and parsing the XML. LOGbinder for Exchange translates cryptic admin and mailbox
audit data into easy-to-understand messages and sends them to your SIEM/BDSA – where
they belong. LOGbinder for Exchange does not require an agent to be installed on your Exchange
servers. We simply bridge the gap by bringing application security intelligence
from Exchange to your security operations center.
Here is how the same event from
The Challenge
page looks like after being processed
by LOGbinder for Exchange:
Send message using Send on Behalf Exchange mailbox permissions
Occurred: 3/3/2014 1:33:49 PM
Operation: SendOnBehalf
Result: Succeeded
Originating server: DEV1 (15.00.0516.025)
Mailbox
GUID: 87fe4440-ed2a-463e-9834-a070a3f7b865
Owner: n/a
Owner UPN: tsawyer@lb.local
Owner SID: S-1-5-21-318927112-4139637817-1356824584-1143
Folder
ID: n/a
Folder: n/a
Performed By
User name: Huck Finn
User SID: S-1-5-21-318927112-4139637817-1356824584-1144
Logon type: Owner
Client
Info: Client=OWA;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64;
Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727;
.NET CLR 3.0.30729);
IP address: ::1
Process name: n/a
Version: n/a
Item
ID: RgAAAADFjf5W2w8LQa+FWUjYyCYYBwBAeQIjM6A5TohDkjHL7Cy3AAAAAAARAABAeQIjM6A5
TohDkjHL7Cy3AABaEl61AAAN
Subject: Canceled: Meeting
Additional information: Owner= [Tom Sawyer]; LastAccessed= [2014-03-03T13:33:49.7298345-05:00]; LogonType= [Delegate]>
Learn more about LOGbinder for Exchange