0 Replies Latest reply on Jun 7, 2015 5:17 PM by mcolatosti

    SIEM auditing a large Sharepoint Farm


      I'm attaching a recent post I made that may help those in the community trying to log security events from a SharePoint Farm (specifically 2010).l the necessary.

      Mcafee SIEM/Nitro SharePoint High-Volume Auditing | Mec's Place


      The post contains all the necessary information to implement in your environment, but should be used by those with fundamental knowledge of SharePoint, SQL and MCafee SIEM.

      Somewhat surprisingly this has probably been one of the most reliable data sources in my SIEM environment!


      Grabbing Sharepoint Events:
      Sharepoint audit events are stored in an audit table in the Content Database, user ID information is a cross table lookup so logging ends up being a query across two table.  Since the McAfee SQL log plugin by default only accesses field from one table, a SQL View was created to present all the necessary log information to the mcafee agent as though coming from one table.
      ***Note: technically adding or querying the Microsoft Sharepoint database directly voids Microsoft warranty!  It is also easy for direct queries to lock records and seriously effect Sharepoint performance adversely so this cannot be done lightly.  This being said, view query design was created to avoid locks and does not appear to effect Sharepoint performance.
      View Query definition that needs to be added to each Content database to be monitored in Sharepoint:

      USE [YourSharepointContentDBName]

      /****** Object:  View [dbo].[BAL_AuditView]    Script Date: 08/16/2014 09:40:38 ******/


      CREATE VIEW [dbo].[BAL_AuditView]
      SELECT     TOP (100) PERCENT a.Occurred, a.SiteId, a.ItemId, a.ItemType, a.UserId, a.MachineName, a.MachineIp, a.DocLocation, a.LocationType, a.Event, a.EventName,
                            a.EventSource, a.SourceName, a.EventData, b.tp_Login, b.tp_Title, b.tp_Email, b.tp_Notes
      FROM         dbo.AuditData AS a WITH (NOLOCK) INNER JOIN
                            dbo.UserInfo AS b WITH (NOLOCK) ON a.UserId = b.tp_ID
      WHERE     (a.Occurred > '2014-06-21 05:33:22.000') AND (b.tp_Login <> 'SHAREPOINT\system')
      ORDER BY a.Occurred



      The SQL code above is a good start to begin being able to extract SharePoint events and placing into any auditing solution, especially McafeeSIEM.  My post above documents my ASP rules and additionally a more complex implementation that needed to bypass McAfee's SQL Collection tool as the volume of events generated from my particular SharePoint Farm caused the McAfee Windows x32 collector to crash constantly.