As the dominant messaging platform, Exchange is host to an organization’s greatest secrets in motion: decisions, marketing plans, customer data… What doesn’t get emailed?

Yet, does your security operations center know when a privileged user downloads a high-level executive’s mailbox? Will you know if John is spending hours browsing the CEO’s mailbox? What if encryption keys are exported or security policies are changed in Exchange? If there’s a security breach or system outage can you trace back who changed Exchange and when?

The challenge in getting Exchange audit activity to your SIEM.

The good news is that among the many logs Exchange generates, 2 are specifically audit logs, dedicated to security tracking.

  • Administrator Audit Log

    Provides a detailed audit trail of all administrative operations in the Exchange environment.
  • Mailbox Audit Log

    Tracks (primarily non-owner) access to specified mailboxes providing an audit trail of end-users and administrators who access someone else's mailbox.

But there are several issues that prevent SIEM and Big Data Security Analytics solutions from collecting Exchange audit logs:

  1. Audit logs trapped inside Exchange

    Like many other applications, Exchange audit logs are stored in the application itself - in this case within Exchange mailbox databases along with normal mailbox data. They are not written to any file system location or to the Windows event log where SIEM solutions would be able to use normal log collection means.
  2. Asynchronous log request management

    In order to get the full detail of administrator and mailbox audit logs, you must periodically request Exchange to produce a log file and then wait an unspecified period of time for Exchange to email it to you as an attachment. You can access these logs via the web based Exchange administration center or via an asynchronous API based in PowerShell. You must request logs regularly so that latency is reduced and attached log files don’t exceed maximum attachment sizes. And you need to keep track of which requests Exchange has fulfilled and which are still pending.
  3. Cryptic messages hard-to-understand

    Both the admin and mailbox audit logs are produced in a cryptic XML format unsuitable for analysis by human eyes. Here is an example:

    <Event MailboxGuid="87fe4440-ed2a-463e-9834-a070a3f7b865" Owner="Tom Sawyer" LastAccessed="2014-03-03T13:33:49.7298345-05:00" Operation="SendOnBehalf" ItemId="RgAAAADFjf5W2w8LQa+FWUjYyCYYBwBAeQIjM6A5TohDkjHL7Cy3AAAAAAARAABAeQIjM6A5TohDkjHL7Cy3AABaEl61AAAN" ItemSubject="Canceled: Meeting" OperationResult="Succeeded" LogonType="Delegate" ClientInfoString="Client=OWA;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729);" ClientIPAddress="::1" InternalLogonType="Owner" MailboxOwnerUPN="tsawyer@lb.local" MailboxOwnerSid="S-1-5-21-318927112-4139637817-1356824584-1143" LogonUserDisplayName="Huck Finn" LogonUserSid="S-1-5-21-318927112-4139637817-1356824584-1144" OriginatingServer="DEV1 (15.00.0516.025)" />
The Solution.

The Solution: LOGbinder for Exchange - Connecting the Exchange admin and mailbox audit logs to your SIEM

LOGbinder for Exchange automatically manages the complicated process of requesting audit logs from Exchange every few minutes, watching for them to arrive by email, downloading the attachments and parsing the XML. LOGbinder for Exchange translates cryptic admin and mailbox audit data into easy-to-understand messages and sends them to your SIEM/BDSA – where they belong. LOGbinder for Exchange does not require an agent to be installed on your Exchange servers. We simply bridge the gap by bringing application security intelligence from Exchange to your security operations center.

Here is how the same event from The Challenge page looks like after being processed by LOGbinder for Exchange:

Send message using Send on Behalf Exchange mailbox permissions
Occurred: 3/3/2014 1:33:49 PM
Operation: SendOnBehalf
Result: Succeeded
Originating server: DEV1 (15.00.0516.025)
  GUID: 87fe4440-ed2a-463e-9834-a070a3f7b865
  Owner: n/a
  Owner UPN: tsawyer@lb.local
  Owner SID: S-1-5-21-318927112-4139637817-1356824584-1143
  ID: n/a
  Folder: n/a
Performed By
  User name: Huck Finn
  User SID: S-1-5-21-318927112-4139637817-1356824584-1144
  Logon type: Owner
  Info: Client=OWA;Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64;
    Trident/6.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727;
    .NET CLR 3.0.30729);
  IP address: ::1
  Process name: n/a
  Version: n/a
  Subject: Canceled: Meeting
Additional information: Owner= [Tom Sawyer]; LastAccessed= [2014-03-03T13:33:49.7298345-05:00]; LogonType= [Delegate]>

Learn more about LOGbinder for Exchange