• Application security intelligence for SharePoint delivered to your SIEM.
• Fill the audit gap in your compliance efforts.
• Catch APTs that have penetrated upstream defenses.
• Detect data grabs by malicious insiders.
• Know what’s happening inside of SharePoint including:
— Access to confidential information.
— Changes to documents and lists.
— Security policy changes.
— Privileged user activity.
• Correlate SharePoint security activity with related events from the rest of your environment.
• No agent or communication required with SharePoint server:
— No performance impact on SharePoint servers.
— Less pushback from SharePoint admins.
• Ensure consistence and centralized audit policy for all site collections in the farm.
• Fits neatly into your existing infrastructure between SharePoint and your SIEM/BDSA.
• No data silos or additional consoles to monitor.
• Solve the 5 critical issues with native SharePoint auditing:
— Makes the SharePoint audit log accessible to your SIEM.
— Translates cryptic, raw audit data into meaningful security intelligence.
— Protects your audit log from tampering by getting it to your SIEM — where it belongs.
— Prevents audit trail loss and saves database storage.
— Provides centralized audit policy management for all your site collections.
LOGbinder SP translates cryptic SharePoint audit data into easy-to-understand messages and sends them to your SIEM – where they belong. LOGbinder SP does not require an agent to be installed on your SharePoint servers, nor does it make intrusive changes to your SharePoint environment. LOGbinder simply bridge the gap by bringing application security intelligence on SharePoint to your security operations center.
• Translates cryptic SharePoint audit data in to easy-to-understand events.
• Sends SharePoint audit events to your SIEM using the best method.
• Centrally manages audit policy for the entire farm.
• Safely purges internal audit log.
• Safeguards audit log integrity.
LOGbinder SP is a small, efficient Windows service that runs on any Windows server that is a member of your SharePoint farm. This can be an existing SharePoint server or a dedicated server – even a VM. It just needs to be a member of the farm so that LOGbinder can interface with the SharePoint API. Regardless of how many servers are in the farm, you usually only need to install one instance of LOGbinder SP per farm. Only one instance of LOGbinder SP is usually required per SharePoint farm and LOGbinder SP can coexist with other LOGbinder products like LOGbinder EX for Exchange and LOGbinder SQL for SQL Server.
Once started and using the minimum necessary privileges, the LOGbinder SP service frequently searches the internal SharePoint audit log for new events and then translates them into easy-to-read events which it then forwards to your SIEM solution. If LOGbinder SP sees activity that indicates potential privileged user tampering with audit policy configuration or unauthorized log purging, it inserts additional warning events into the audit stream.
Periodically, LOGbinder SP checks for new site collections and configures them with your specified default audit policy. Every 24 hours LOGbinder purges events already sent to your SIEM from the SharePoint content database so that resources are conserved.
LOGbinder SP has special technology to compensate for SharePoint memory leaks, preserve stability, control memory and CPU footprint and reduce queries associated with name resolution, to ensure audit integrity is maintained, and make troubleshooting easy.
Only one instance of LOGbinder SP is required per SharePoint farm. LOGbinder SP can run on an existing SharePoint server or you can stand up an additional server for that purpose. Customers frequently run LOGbinder SP on a virtual machine along with other LOGbinder SP products like LOGbinder EX for Exchange and LOGbinder SQL for SQL Server.
• Windows Server 2012, 2008 or 2003, 64 or 32 bit. Server must be a member of the SharePoint farm.
• SharePoint 2013, 2010 or 2007 (including SharePoint Services/Foundation)
• Microsoft .NET Framework 3.5 SP1 or later
• Disk space: LOGbinder itself is tiny — not even 1MB. But with associated DLLs the total installation size is about 12MB. Storage for logs and/or reporting databases is dependent on settings defined by the customer.
• Memory: LOGbinder averages 150mb memory usage. In some environments memory usage can grow beyond that, but special functionality detects and recovers memory when a maximum threshold is reached.
• LOGbinder does not support custom Forms Based Authentication (FBA).