Exchange Mailbox Audit Logging - SIEM Integration

Mailbox audit logs are inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. Mailbox audit logs are stored internally, inside a special folder on each mailbox.

There are several PowerShell cmdlets such as Search-MailboxAuditlog for exporting the administrator audit log however:

The output is in a cryptic XML format - not a simple text file format easily parsed by most SIEMs.
The output from the synchronous (meaning it returns results during the execution of the command) Search-MailboxAuditlog cmdlet leaves out crucial details from events.
The only way to get the complete admin audit event information for is with the asynchronous New-MailboxAuditLogSearch which requires that you wait for the log to appear as an email attachment sometime later in a specified mailbox.

As in the case of administrator auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden mailbox audit logs from each mailbox, parses the log data, and formats it into easy-to-read messages delivered to your SIEM.

Next: LOGbinder for Exchange

Upcoming Webinars

Additional Resources

Mailbox Auditing

•	Configuration
•	Storage, Purging and Archival
•	Reporting and Alerting
•	SIEM Integration

User name:
Password:
	/ Forgot?
	Register

December 2024 Patch Tuesday	"Patch Tuesday - 2 Zero Days...See You in 2025! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.