SharePoint Auditing - Bridging the Gap with LOGbinder for SharePoint

I created LOGbinder for SharePoint to make the native SharePoint auditing capability practical for compliance, security monitoring and SIEM integration. If you are new to it, read more on SharePoint Audit Logging.

To use the native SharePoint audit log for compliance and enterprise security 5 issues needed to be addressed:

1. SharePoint's audit log does not provide the names of users or objects.  The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! See an example of an audit event from SharePoint before being processed by LOGbinder for SharePoint.
2. SharePoint's audit log is buried in SharePoint's SQL server content database. To ensure the integrity of audit trails, logs must be moved from the system where they are generated to a separate and secure archive.  However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database.  This makes it inaccessible for most log management solutions.  Without the ability to collect the SharePoint audit log into a separate, secure log archive, its value as a high integrity audit trail is compromised.
3. SharePoint's audit log has no reporting.  In Windows SharePoint Services the log is totally inaccessible, and in Office SharePoint Services it's exposed through a few rudimentary, impractical reports in Excel.
4. Windows SharePoint Services provides no interface for enabling auditing at all.  The audit log is there, but without custom programming there's no way to turn it on, much less access the logs. 
5. SharePoint's audit log built-in trimming feature can delete audit events before they are exported. Some editions of SharePoint provide automatic log trimming of old events but there is no way to ensure events have been archived first.

These issues caused me, Randy Franklin Smith, to design LOGbinder for SharePoint. LOGbinder for SharePoint translates the cryptic data in raw SharePoint audit entries and outputs the audit trail to the Windows security log where your SIEM/log management solution can take over with archival, alerting and report.

Next:

• Translating cryptic audit entries into easy-to-understand events
• Connecting SharePoint Audit to SIEM/Log Management

More information on LOGbinder for SharePoint:

Download LOGbinder for SharePoint Pricing Datasheet

System Requirements Frequently Asked Questions Events Monitored

Reports and Alerts Third Party Log Management/SIEM Solutions Compliance Guidance

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Cryptic Data
•	SIEM Integration