Exchange Mailbox Audit Logging - SIEM Integration

Mailbox audit logs are inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. Mailbox audit logs are stored internally, inside a special folder on each mailbox.

There are several PowerShell cmdlets such as Search-MailboxAuditlog for exporting the administrator audit log however:

• The output is in a cryptic XML format - not a simple text file format easily parsed by most SIEMs.
• The output from the synchronous (meaning it returns results during the execution of the command) Search-MailboxAuditlog cmdlet leaves out crucial details from events.
• The only way to get the complete admin audit event information for is with the asynchronous New-MailboxAuditLogSearch which requires that you wait for the log to appear as an email attachment sometime later in a specified mailbox.

As in the case of administrator auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden mailbox audit logs from each mailbox, parses the log data, and formats it into easy-to-read messages delivered to your SIEM.

Next: LOGbinder for Exchange

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Configuration
•	Storage, Purging and Archival
•	Reporting and Alerting
•	SIEM Integration