Exchange Mailbox Audit Logging - SIEM Integration

Mailbox audit logs are inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. Mailbox audit logs are stored internally, inside a special folder on each mailbox.

There are several PowerShell cmdlets such as Search-MailboxAuditlog for exporting the administrator audit log however:

  • The output is in a cryptic XML format - not a simple text file format easily parsed by most SIEMs.
  • The output from the synchronous (meaning it returns results during the execution of the command) Search-MailboxAuditlog cmdlet leaves out crucial details from events.
  • The only way to get the complete admin audit event information for is with the asynchronous New-MailboxAuditLogSearch which requires that you wait for the log to appear as an email attachment sometime later in a specified mailbox.

As in the case of administrator auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden mailbox audit logs from each mailbox, parses the log data, and formats it into easy-to-read messages delivered to your SIEM.

Next: LOGbinder for Exchange


Additional Resources