Security, et al

Randy's Blog on Infosec and Other Stuff

«  Comparison: SQL Server Au... | Monitoring File Permissio... »

SolarWinds Makes It Easy to Detect SharePoint Breaches with Integration to LOGbinder SP

Mon, 07 Jul 2014 08:40:59 GMT

SolarWinds Log and Event Manager provides connectors for common log sources that understand how to translate raw events from a specific log source into their equivalent normalized event type.  I love event normalization like SolarWind’s LEM because it makes it so much easier to correlate events from multiple sources and to configure more generalized alerts, filters and reports.  For instance you can just ask for all logon failures without having to configure criteria for every example of logon failure logged by Windows, Linux, firewalls, etc.  That’s the power of normalization. 

SharePoint security is getting more and more attention because of the amount of sensitive unstructured data found there.  And with SharePoint’s self-service features sensitive data just keeps growing as end-users create more and more content.  In this age of Snowden-like information grabs it’s really important to detect unusual activity in SharePoint. 

But getting SharePoint logs into any SIEM is not a simple matter.  SharePoint audit logs are trapped inside SharePoint itself; there’s no log file or event log that a SIEM can consume through normal means.  Happily SolarWinds partnered with LOGbinder and has done an awesome job integrating with LOGbinder SP.  LOGbinder SP is an easy-to-deploy middleware purpose built to pull raw audit events out of SharePoint, translate all the cryptic codes and ID numbers and then export understandable audit logs which can be easily consumed by SIEMs through normal log collection means. 

Not only did SolarWinds create the necessary connector to consume SharePoint audit events from LOGbinder.  But as a SIEM Synergy Partner, SolarWinds took my recommended reports and alert specs for SharePoint and implemented them in a set of Filters, Rules and Reports for Log and Event Manager.  All you have to do is point Log and Event Manager at LOGbinder SP’s event log and you’ve got real-time monitoring and historical analysis of the Share Point security activity.  

Check out the screen print below showing SharePoint permission changes in Log and Event Manager.

And below is an example report showing document deletions in a SharePoint Document Library.

Here’s a list of some of the things in SharePoint you can automatically monitor or detect with Log and Event Manager:

  • Access control changes on documents and lists

  • Administrator changes

  • Group membership changes

  • Audit policy changes

  • Audit log tampering

  • Import/Export of Data

  • Item deletions

  • Who’s been viewing sensitive documents

SolarWinds did a great job implementing our monitoring and reporting recommendations, but thanks to Log and Event Manager’s (LEM) event normalization you can also correlate SharePoint audit events with similar audit activity from other log sources.  For instance you can search on a given user and see their activity as reported by SharePoint, Active Directory and any other log sources managed by LEM.  To learn more about LEM’s normalization and other features check out this blog or download Log and Event Manager here  You can download a trial of LOGbinder SP from and the integration pack for LEM and LOGbinder SP here  Try them out!

email this digg reddit dzone
comments (0)references (0)

Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Live with Dell at RSA 2015
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
5 Indicators of Endpoint Evil

Comments disabled

powered by Bloget™


Recent Blogs


Additional Resources