Using Splunk and LOGbinder to Monitor SQL Server, SharePoint and Exchange Audit Events

Similar documents
Who s Attacking Your Database? Monitoring Authentication and Logon Failures in SQL Server

SIEM Integration with SharePoint: Monitoring Access to the Sensitive Unstructured Data in SharePoint

Integrating LOGbinder SP EventTracker v7.x

Not Monitoring SQL Server with Your SIEM is Close to Negligent: What are Your Options?

Taming SharePoint Audit Logs with

Integrate Microsoft Office 365. EventTracker v8.x and above

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

Netwrix Auditor for Active Directory

Monitoring Active Directory: Both Azure AD and On-Premise AD and How Synchronization and Federation Play In

Office365 / G Suite Backup Manual

Get to know SysKit Monitor

Technology Partners.

Netwrix Auditor. Visibility platform for user behavior analysis and risk mitigation. Mason Takacs Systems Engineer

Netwrix Auditor for Active Directory

DefendX Software Control-Audit for Hitachi Installation Guide

INSTALLATION GUIDE Spring 2017

MB2-715.exam. Microsoft MB Microsoft Dynamics 365 customer engagement Online Deployment. Version 1.

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

LepideAuditor. Installation and Configuration Guide

Netwrix Auditor Competitive Checklist

MB Microsoft Dynamics CRM 2016 Online Deployment.

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

DOCAVE ONLINE. Your Cloud. Our SaaS. A Powerful Combination. Online Services. Technical Overview ADMINISTRATION BACKUP & RESTORE

Administering Microsoft SQL Server Databases

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Managing Microsoft 365 Identity and Access

Course 20764: Administering a SQL Database Infrastructure

Important notice regarding accounts used for installation and configuration

How To Embed EventTracker Widget to an External Site

SQL Server Course Administering a SQL 2016 Database Infrastructure. Length. Prerequisites. Audience. Course Outline.

Replicator. Installing and Configuring Replicator With Least Privilege P. March 09,

Basic knowledge of the Microsoft Windows operating system and its core functionality.

Administering Microsoft SQL Server 2014 Databases

SharePoint 2016 Administrator's Survival Camp

PROMODAG REPORTS Getting started. Office 365

Acronis Backup & Recovery 11 Beta Advanced Editions

StorageCraft Cloud Backup

NTP Software File Auditor for Windows Edition

ICS Security Monitoring

20462C - Version: 1. Administering Microsoft SQL Server Databases

Tanium Asset User Guide. Version 1.3.1

Training 24x7 DBA Support Staffing. Administering a SQL Database Infrastructure (40 Hours) Exam

EnterSpace Data Sheet

Best Practices for Deployment of SQL Compliance Manager

Administering a SQL Database Infrastructure (M20764)

Secret Server Demo Outline

Microsoft Advanced Solutions of Microsoft SharePoint Server

Integrate Salesforce. EventTracker v8.x and above

NTP Software VFM Task Service for NetApp

Microsoft Administering a SQL Database Infrastructure

Netwrix Auditor for SQL Server

Vyapin Office 365 Management Suite

NTP Software VFM Task Service for Windows

LepideAuditor SIEM Integration

Ekran System v Program Overview

NetFlow Optimizer. Overview. Version (Build ) May 2017

ActivIdentity 4TRESS AAA and Splunk. Integration Handbook

Netwrix Auditor. Event Log Export Add-on Quick-Start Guide. Version: 8.0 6/3/2016

Permissions required for the AD account configured in ADManager Plus

NETWRIX CHANGE REPORTER SUITE

20764C: Administering a SQL Database Infrastructure

Microsoft Dynamics CRM 2016 Online Deployment (MB2-710)

Release Notes. Last Updated: March 2018

4 Ways Your Organization Can Be Hacked

Pro SharePoint 2010 Administration

[AVNICF-MCSASQL2012]: NICF - Microsoft Certified Solutions Associate (MCSA): SQL Server 2012

NTP Software File Auditor for Hitachi

HPE IMC Windows Migration Guide

Product Overview. Netwrix Auditor. Presenter: Jeff Melnick Manager of Sales Engineering x 971

NetWrix SharePoint Change Reporter

DB Connect Is Back. and it is better than ever. Tyler Muth Denis Vergnes. September 2017 Washington, DC

Microsoft Dynamics CRM Online Deployment (MB2-706)

DocAve Online 3. Release Notes

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

3M Molecular Detection System Software Upgrade/Installation Instructions

METADATA FRAMEWORK Release Notes

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

"Charting the Course... MOC C: Administering an SQL Database Infrastructure. Course Summary

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

Online Backup Manager v7 Office 365 Exchange Online Backup & Restore Guide for Windows

DocAve 6 Software Platform Service Pack 1

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

Administering a SQL Database Infrastructure

Integrate Microsoft ATP. EventTracker v8.x and above

Integration With Third Party SIEM Solutions NetIQ Secure Configuration Manager. October 2016

SP Configuring and Administering Microsoft SharePoint 2010

Instructions for running the Microsoft Assessment and Planning Toolkit (MAP)

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

User Manual. ARK for SharePoint-2007

HOW TO MAXIMIZE THE VALUE OF YOUR SPLUNK INVESTMENT. PRESENTER: Adam Stetson Presales Engineer

Saving SharePoint Admin 100 (Sponsor) Sean McDonough Idera

mb Microsoft Dynamics 365 customer engagement Online Deployment

Backup APP v7. Office 365 Exchange Online Backup & Restore Guide for Mac OS X

COURSE 20462C: ADMINISTERING MICROSOFT SQL SERVER DATABASES

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Administering a SQL Database Infrastructure (20764)

Feature List. EventTracker v7.6. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Sep 15, 2014

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Wazza s QuickStart 8. Leopard Server - Sharepoints (Part 2)

Administering Microsoft SQL Server 2012/2014 Databases

Transcription:

Using Splunk and LOGbinder to Monitor SQL Server, SharePoint and Exchange Audit Events Sponsored by 2015 Monterey Technology Group Inc. Made possible by Thanks to 2015 Monterey Technology Group Inc. 1

Preview of Key Points Audit 101 SharePoint Exchange SQL Server Getting the events out and managing audit policy LOGbinder Making sense of the events LOGbinder App for Splunk Audit 101 Microsoft apps have audit functionality Wealth of information for Compliance Catching information theft Insider info grabs But the logs are buried inside the app Inaccessible to SIEMs And audit policy is difficult to manage 2

SharePoint Webinars Detecting Information Grabs of Confidential Documents in SharePoint Top 10 Security Events to Monitor in SharePoint SharePoint Defense-In-Depth Monitoring: What to Watch at the App, DB and OS Level and How? More info Comparing SharePoints 4 Audit Logs for Security and SIEM Integration Top 6 Security Events to Audit in SharePoint SharePoint Audit Events List More at https://www.logbinder.com/resources/ And https://www.ultimatewindowssecurity.com/sharepoint SharePoint What types of activity? Content viewed Information grabs Documents downloaded Content modified Document library and list permissions changed SharePoint groups changed Administrators access granted Document deletion Export of data Check in/check out 3

SharePoint Where are the events? Trapped inside SharePoint In the SharePoint content database Not in Simple table Log file Event log Only accessible SharePoint admin web pages SharePoint server-side API Even if you do create an audit log report SharePoint 4

How to enable? Each site collection has it s own audit policy SharePoint Exchange What can you audit? Privileged user activity Admin audit log Non-owner mailbox access Mailbox audit log Configuration Admin audit log Set-AdminAuditLogConfig -AdminAuditLogEnabled $true - AdminAuditLogCmdlets * -AdminAuditLogParameters * Mailbox audit Must turn on auditing on each mailbox individually 5

Exchange Where are the logs? System mailbox for admin audit log Inside each user s mailbox How do you access the logs? Run reports interactively from the Exchange Control Panel Request reports via PowerShell to be delivered by email There is no log file to monitor Exchange Webinars Managing Mailbox Audit Policy in Exchange 2013 Detecting Non-Owner Mailbox Access with Exchange Mailbox Auditing Understanding Exchange 2010 Audit Logging More info Comparing Exchanges 3 Audit Logs for Security and SIEM Integration Exchange Audit Events List More at https://www.logbinder.com/resources/ And https://www.ultimatewindowssecurity.com/exchange 6

SQL Server Added in SQL 2008 SQL Server Audit allows you to track administrator, application and user level activity across all types of objects and operations. You can track security operations involving logins, roles and permissions maintenance of tables, stored procedures and any other object database operations like backup and restore Transact SQL table commands like insert, delete, update and select and much more SQL Audit 7

SQL Audit SQL Server SQL Audit can send logs To a binary log file elsewhere on network Directly to local Windows Security Log Here s why that doesn t work for enterprise log management Performance Stability Security Agent SQL Audit binary logs Fast Agentless Secure Stable DB admins much happier But how do you read binary audit logs into your SIEM? 8

SQL Server Webinars Top 6 Security Events to Monitor in SQL Server Not Monitoring SQL Server with Your SIEM is Close to Negligent: What are Your Options? More info Comparison: SQL Server Audit and SQL Trace More at https://www.logbinder.com/resources And https://www.ultimatewindowssecurity.com/sqlserver Getting the Logs Out Getting these logs out of SQL Server, Exchange and SharePoint is difficult Cryptic Require enrichment Methods are weird and complex 9

Getting the Logs Out LOGbinder 5 minutes to install Configure input SQL Servers to monitor Exchange environment URLs SharePoint farms Configure output Log format Destination path or IP address Done! 10

LOGbinder Audit policy managed for you SharePoint site collections SQL Audit Policy Wizard Exchange mailbox audit policy controlled by group or OU Splunk Not a SIEM But Easy Fun Powerful Free 500 MB a day No alerting and other enterprise features Splunk Light Affordable for SMBs Splunk Enterprise Expensive; price by GB indexed per day The secret to making Splunk affordable Filtering out the noise 11

LOGbinder App for Splunk Teaches Splunk how to understand audit logs from SharePoint SQL Server Exchange Delivered by LOGbinder Includes 4 Dashboards 30+ Reports Deployment Install LOGbinder Configure output to shared folder Getting started guides: https://www.logbinder.com/resources/ Install Splunk http://www.splunk.com/en_us/download/splunk-enterprise.html Install LOGbinder App for Splunk LOGbinder for Splunk Beta Configure Splunk to consume logs in shared folder 12

LOGbinder App for Splunk Bottom line Don t be blind to what s happening inside your most important applications SQL, SharePoint and Exchange audit logs are important LOGbinder bridges the gap and brings application security intelligence to your SIEM If you can t afford a SIEM, try Splunk Free or Splunk Light If you already have and love Splunk Get the LOGbinder App for Splunk Monitor and respond to security events inside your apps Correlate application security intelligence with all the other security intelligence in your enterprise Comply and stop attacks and info grabs 13

LOGbinder 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback