J003-Content-Auditing-in-Exchange-Part-2_SQWelcome to part two in our series on auditing in Exchange. If you will recall from part one of this series, there are two types of auditing available in Exchange.

  • Administrator audit logging records any action, based on an Exchange Management Shell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security-related or compliance-related problems.
  • Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they’ve done.

Administrator audit logging can tell you what admins did. It’s useful when trying to troubleshoot issues, to confirm change control processes, or to figure out who did what to whom and when.

Mailbox audit logging is great for troubleshooting issues with individual mailboxes, or to ensure that no one is going somewhere they should not when it comes to key individuals’ mailboxes. In part two, we’re going to look at mailbox auditing.

Turning it on

Just as with admin audit logging, before you can use mailbox auditing, you have to turn it on. Mailbox audit logging can generate even more data than admin auditing, so consider disk space and whether you want to use this to try to track all activity, or just turn it on for troubleshooting, and then turn it off when you have resolved whatever issue you are working on. Since you turn it on per mailbox, you could leave it on for ‘critical’ mailboxes if necessary. That may be a good compromise on disk space used.

The mailbox audit logs are stored in the mailbox itself, in the recoverable items folder in a sub folder called Audit. This keeps the logs with the mailbox so that if you move the mailbox, the logs go with it. Since you set mailbox auditing per mailbox, you use the Set-Mailbox cmdlet to enable or disable it, and Get-Mailbox to check status.

You can check on the status of mailbox auditing using this command.

Get-Mailbox user@example.com | FL *audit*

And you can enable it in the EMS by running this command.

Set-Mailbox user@example.com -AuditEnabled $True

To disable it, run

Set-Mailbox user@example.com -AuditEnabled $False

Don’t forget to do that if you are only enabling auditing for troubleshooting purposes.

Configuring mailbox auditing

Mailbox auditing can target three different types of access; owner, delegate, and administrator. Use owner auditing to troubleshoot all owner actions. Use delegate auditing to record delegate actions, and administrator auditing to log admin actions on a mailbox. Use these switches to specify which level of auditing you want to enable

  • AuditOwner
  • AuditDelegate
  • Audit Admin

You can also configure what actions you wish to audit. This table, from https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx,  shows what can be audited and at which object.

Action

Description

Administrator

Delegate

Owner

Copy

An item is copied to another
folder.

Yes

Yes

No

Create

An item is created in the mailbox. (For
example, a message is sent or received.) Note that folder creation isn’t audited.

Yes*

Yes*

Yes

FolderBind

A mailbox folder is accessed.

Yes*

Yes**

No

HardDelete

An item is deleted permanently from the
Recoverable Items folder.

Yes*

Yes*

Yes

MessageBind

An item is accessed in the
reading pane or opened.

Yes

No

No

Move

An item is moved to another folder.

Yes*

Yes

Yes

MoveToDeletedItems

An item is moved to the
Deleted Items folder.

Yes*

Yes

Yes

SendAs

A message is sent using Send As
permissions.

Yes*

Yes*

n/a

SendOnBehalf

A message is sent using Send
on Behalf permissions.

Yes*

Yes

n/a

SoftDelete

An item is deleted from the Deleted
Items folder.

Yes*

Yes*

Yes

Update

An item’s properties are
updated.

Yes*

Yes*

Yes***

* Audited by default if auditing is enabled for a mailbox.

** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.

*** Audited by default if auditing and owner auditing are enabled for a mailbox.

Here are the specific actions and results you will see in the logs.

Field

Populated with

Operation

One of the following actions:

  • Copy
  • Create
  • FolderBind
  • HardDelete
  • MessageBind
  • Move
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • SoftDelete
  • Update

OperationResult

One of the following results:

  • Failed
  • PartiallySucceeded
  • Succeeded

LogonType

Logon type of the user who
performed the operation. Logon types include:

  • Owner
  • Delegate
  • Admin

DestFolderId

Destination folder GUID for move
operations.

DestFolderPathName

Destination folder path for
move operations.

FolderId

Folder GUID.

FolderPathName

Folder path.

ClientInfoString

Details that identify which client or
Exchange component performed the operation.

ClientIPAddress

Client computer IP address.

ClientMachineName

Client computer name.

ClientProcessName

Name of the client
application process.

ClientVersion

Client application version.

InternalLogonType

Logon type of the user who
performed the operation. Logon types include:

  • Owner
  • Delegate
  • Admin

MailboxOwnerUPN

Mailbox owner user principal name
(UPN).

MailboxOwnerSid

Mailbox owner security
identifier (SID).

DestMailboxOwnerUPN

Destination mailbox owner UPN, logged
for cross-mailbox operations.

DestMailboxOwnerSid

Destination mailbox owner
SID, logged for cross-mailbox operations.

DestMailboxOwnerGuid

Destination mailbox owner GUID.

CrossMailboxOperation

Information about whether the
operation logged is a cross-mailbox operation (for example, copying or moving
messages between mailboxes).

LogonUserDisplayName

Display name of user who is logged on.

DelegateUserDisplayName

Delegate user display name.

LogonUserSid

SID of user who is logged on.

SourceItems

ItemID of mailbox items on
which the logged action is performed (for example, move or delete). For
operations performed on a number of items, this field is returned as a
collection of items.

SourceFolders

Source folder GUID.

ItemId

Item ID.

ItemSubject

Item subject.

MailboxGuid

Mailbox GUID.

MailboxResolvedOwnerName

Mailbox user resolved name in the
format DOMAIN\SamAccountName.

LastAccessed

Time when the operation was
performed.

Identity

Audit log entry ID.

Bypassing Auditing

You may have a legitimate reason not to audit certain accounts, especially those used by automated processes or as proxies for the mailbox owner, like besadmin. To do that, you can use the Set-MailboxAuditBypassAssociation cmdlet. Here is an example of how to disable it for a specific account.

Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $true

And here is an example of how to reenable it, in case you need to troubleshoot something.

Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $false

Searching the logs

You can search a single mailbox’s logs or across many mailboxes. To search a single mailbox log, use the Search-MailboxAuditLog cmdlet. Here is an example.

Search-MailboxAuditLog -Mailboxes jdoe,cmanes -LogonTypes Admin,Delegate -StartDate 9/1/2015 -EndDate 9/15/2015 -ResultSize unlimited

Here is a table from https://technet.microsoft.com/en-us/library/ff522360(v=exchg.150).aspx that lists all the possible search parameters. 

 

Parameter

Required

Type

Description

DomainController

Optional

Microsoft.Exchange. Data.Fqdn

This parameter is available only in on-premises Exchange 2013.

The DomainController parameter specifies the fully qualified
domain name (FQDN) of the domain controller that retrieves data from Active
Directory.

EndDate

Optional

Microsoft.Exchange.
ExchangeSystem. ExDateTime

The EndDate
parameter specifies the end date of the date range.

Use the short
date format defined in the Regional Options settings for the computer
on which the command is run. For example, if the computer is configured to
use the short date format mm/dd/yyyy, enter 03/01/2010 to specify
March 1, 2010. You can enter the date only, or you can enter the date and
time of day. If you enter the date and time of day, you must enclose the
argument in quotation marks (“), for example, “10/05/2010 5:00
PM”
.

ExternalAccess

Optional

System.Boolean

The ExternalAccess parameter returns only mailbox audit log
entries for mailbox access by users outside of your organization. In Exchange
Online, use this parameter to return audit log entries for mailbox access by
Microsoft datacenter administrators.

Identity

Optional

Microsoft.Exchange.
Configuration.Tasks. MailboxIdParameter

The Identity
parameter specifies the mailbox for which to retrieve mailbox audit log
entries. You can use this parameter to search a single mailbox.

LogonTypes

Optional

Microsoft.Exchange. Data.MultiValuedProperty

The LogonTypes parameter specifies the type of logons. Valid
values include:

  • Admin   Audit
    log entries for mailbox access by administrator logons are returned.
  • Delegate   Audit
    log entries for mailbox access by delegates are returned, including
    access by users with Full Mailbox Access permission.
  • External   For
    Exchange Online mailboxes, audit log entries for mailbox access by
    Microsoft datacenter administrators are returned.
  • Owner   Audit
    log entries for mailbox access by the primary mailbox owner are
    returned. This value is available only in Exchange 2013 and also
    requires the ShowDetails switch.

Mailboxes

Optional

Microsoft.Exchange.
Data.MultiValuedProperty

The Mailboxes
parameter specifies the mailboxes for which to retrieve mailbox audit log
entries. You can use this parameter to search audit logs for multiple
mailboxes. You can’t use the ShowDetails switch with the Mailboxes
parameter.

Operations

Optional

Microsoft.Exchange. Data.MultiValuedProperty

The Operations parameter filters the search results by the
operations that are logged by mailbox audit logging. Valid values for this
parameter are:

  • Copy
  • Create
  • FolderBind
  • HardDelete
  • MailboxLogin This
    value is available only in Exchange 2013, and only when the LogonTypes
    parameter value Owner is also specified.
  • MessageBind
  • Move
  • MoveToDeletedItems
  • SendAs
  • SendOnBehalf
  • SoftDelete
  • Update

You can enter multiple values separated by commas.

Organization

Optional

Microsoft.Exchange.
Configuration.Tasks. OrganizationIdParameter

The Organization
parameter is reserved for internal Microsoft use.

ResultSize

Optional

System.Int32

The ResultSize parameter specifies the maximum number of mailbox
audit log entries to return. Valid values include an integer from 1 through
250000. By default, 1000 entries are returned.

ShowDetails

Optional

System.Management.
Automation. SwitchParameter

The ShowDetails
switch specifies that details of each log entry be retrieved. By default, all
fields for each returned log entry are displayed in a list view.

You can’t use
the Mailboxes parameter with the ShowDetails switch.

StartDate

Optional

Microsoft.Exchange. ExchangeSystem.ExDateTime

The StartDate parameter specifies the start date of the date
range.

Use the short date format defined in the Regional Options settings
for the computer on which the command is run. For example, if the computer is
configured to use the short date format mm/dd/yyyy, enter 03/01/2010
to specify March 1, 2010. You can enter the date only, or you can enter the
date and time of day. If you enter the date and time of day, you must enclose
the argument in quotation marks (“), for example, “10/05/2010
5:00 PM”
.

Mailbox audit logging is a great way to track what is going on in mailboxes which may contain sensitive data or are owned by critical users. You can also use it to troubleshoot issues. Whether you use the EMS or EAC, mailbox audit data is available to admins.Launch the EAC.To search multiple mailbox audit logs, you can use the New-MailboxAuditLogSearch cmdlet, but you might prefer to use the EAC. Here is how to do so.

  1. Click on Compliance management.
  2. Click on Auditing.
  3. In Export Mailbox Audit Logs, configure the relevant fields for your search.
  4. Click Export.

Mailbox audit logging is a great way to track what is going on in mailboxes which may contain sensitive data or are owned by critical users. You can also use it to troubleshoot issues. Whether you use the EMS or EAC, mailbox audit data is available to admins.