Auditing in Exchange Part 2

Welcome to part two in our series on auditing in Exchange. If you will recall from part one of this series, there are two types of auditing available in Exchange.

Administrator audit logging records any action, based on an Exchange Management Shell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security-related or compliance-related problems.
Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they’ve done.

Administrator audit logging can tell you what admins did. It’s useful when trying to troubleshoot issues, to confirm change control processes, or to figure out who did what to whom and when.

Mailbox audit logging is great for troubleshooting issues with individual mailboxes, or to ensure that no one is going somewhere they should not when it comes to key individuals’ mailboxes. In part two, we’re going to look at mailbox auditing.

Turning it on

Just as with admin audit logging, before you can use mailbox auditing, you have to turn it on. Mailbox audit logging can generate even more data than admin auditing, so consider disk space and whether you want to use this to try to track all activity, or just turn it on for troubleshooting, and then turn it off when you have resolved whatever issue you are working on. Since you turn it on per mailbox, you could leave it on for ‘critical’ mailboxes if necessary. That may be a good compromise on disk space used.

The mailbox audit logs are stored in the mailbox itself, in the recoverable items folder in a sub folder called Audit. This keeps the logs with the mailbox so that if you move the mailbox, the logs go with it. Since you set mailbox auditing per mailbox, you use the Set-Mailbox cmdlet to enable or disable it, and Get-Mailbox to check status.

You can check on the status of mailbox auditing using this command.

Get-Mailbox user@example.com | FL *audit*

And you can enable it in the EMS by running this command.

Set-Mailbox user@example.com -AuditEnabled $True

To disable it, run

Set-Mailbox user@example.com -AuditEnabled $False

Don’t forget to do that if you are only enabling auditing for troubleshooting purposes.

Configuring mailbox auditing

Mailbox auditing can target three different types of access; owner, delegate, and administrator. Use owner auditing to troubleshoot all owner actions. Use delegate auditing to record delegate actions, and administrator auditing to log admin actions on a mailbox. Use these switches to specify which level of auditing you want to enable

AuditOwner
AuditDelegate
Audit Admin

You can also configure what actions you wish to audit. This table, from https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx, shows what can be audited and at which object.

Action	Description	Administrator	Delegate	Owner
Copy	An item is copied to another folder.	Yes	Yes	No
Create	An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn’t audited.	Yes*	Yes*	Yes
FolderBind	A mailbox folder is accessed.	Yes*	Yes**	No
HardDelete	An item is deleted permanently from the Recoverable Items folder.	Yes*	Yes*	Yes
MessageBind	An item is accessed in the reading pane or opened.	Yes	No	No
Move	An item is moved to another folder.	Yes*	Yes	Yes
MoveToDeletedItems	An item is moved to the Deleted Items folder.	Yes*	Yes	Yes
SendAs	A message is sent using Send As permissions.	Yes*	Yes*	n/a
SendOnBehalf	A message is sent using Send on Behalf permissions.	Yes*	Yes	n/a
SoftDelete	An item is deleted from the Deleted Items folder.	Yes*	Yes*	Yes
Update	An item’s properties are updated.	Yes*	Yes*	Yes***

* Audited by default if auditing is enabled for a mailbox.

** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.

*** Audited by default if auditing and owner auditing are enabled for a mailbox.

Here are the specific actions and results you will see in the logs.

Field	Populated with
Operation	One of the following actions: Copy Create FolderBind HardDelete MessageBind Move MoveToDeletedItems SendAs SendOnBehalf SoftDelete Update
OperationResult	One of the following results: Failed PartiallySucceeded Succeeded
LogonType	Logon type of the user who performed the operation. Logon types include: Owner Delegate Admin
DestFolderId	Destination folder GUID for move operations.
DestFolderPathName	Destination folder path for move operations.
FolderId	Folder GUID.
FolderPathName	Folder path.
ClientInfoString	Details that identify which client or Exchange component performed the operation.
ClientIPAddress	Client computer IP address.
ClientMachineName	Client computer name.
ClientProcessName	Name of the client application process.
ClientVersion	Client application version.
InternalLogonType	Logon type of the user who performed the operation. Logon types include: Owner Delegate Admin
MailboxOwnerUPN	Mailbox owner user principal name (UPN).
MailboxOwnerSid	Mailbox owner security identifier (SID).
DestMailboxOwnerUPN	Destination mailbox owner UPN, logged for cross-mailbox operations.
DestMailboxOwnerSid	Destination mailbox owner SID, logged for cross-mailbox operations.
DestMailboxOwnerGuid	Destination mailbox owner GUID.
CrossMailboxOperation	Information about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages between mailboxes).
LogonUserDisplayName	Display name of user who is logged on.
DelegateUserDisplayName	Delegate user display name.
LogonUserSid	SID of user who is logged on.
SourceItems	ItemID of mailbox items on which the logged action is performed (for example, move or delete). For operations performed on a number of items, this field is returned as a collection of items.
SourceFolders	Source folder GUID.
ItemId	Item ID.
ItemSubject	Item subject.
MailboxGuid	Mailbox GUID.
MailboxResolvedOwnerName	Mailbox user resolved name in the format DOMAIN\SamAccountName.
LastAccessed	Time when the operation was performed.
Identity	Audit log entry ID.

Bypassing Auditing

You may have a legitimate reason not to audit certain accounts, especially those used by automated processes or as proxies for the mailbox owner, like besadmin. To do that, you can use the Set-MailboxAuditBypassAssociation cmdlet. Here is an example of how to disable it for a specific account.

Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $true

And here is an example of how to reenable it, in case you need to troubleshoot something.

Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $false

Searching the logs

You can search a single mailbox’s logs or across many mailboxes. To search a single mailbox log, use the Search-MailboxAuditLog cmdlet. Here is an example.

Search-MailboxAuditLog -Mailboxes jdoe,cmanes -LogonTypes Admin,Delegate -StartDate 9/1/2015 -EndDate 9/15/2015 -ResultSize unlimited

Here is a table from https://technet.microsoft.com/en-us/library/ff522360(v=exchg.150).aspx that lists all the possible search parameters.

Parameter	Required	Type	Description
*DomainController*	Optional	Microsoft.Exchange. Data.Fqdn	This parameter is available only in on-premises Exchange 2013. The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory.
*EndDate*	Optional	Microsoft.Exchange. ExchangeSystem. ExDateTime	The EndDate parameter specifies the end date of the date range. Use the short date format defined in the Regional Options settings for the computer on which the command is run. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 03/01/2010 to specify March 1, 2010. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, you must enclose the argument in quotation marks (“), for example, “10/05/2010 5:00 PM”.
*ExternalAccess*	Optional	System.Boolean	The ExternalAccess parameter returns only mailbox audit log entries for mailbox access by users outside of your organization. In Exchange Online, use this parameter to return audit log entries for mailbox access by Microsoft datacenter administrators.
*Identity*	Optional	Microsoft.Exchange. Configuration.Tasks. MailboxIdParameter	The Identity parameter specifies the mailbox for which to retrieve mailbox audit log entries. You can use this parameter to search a single mailbox.
*LogonTypes*	Optional	Microsoft.Exchange. Data.MultiValuedProperty	The LogonTypes parameter specifies the type of logons. Valid values include: Admin Audit log entries for mailbox access by administrator logons are returned. Delegate Audit log entries for mailbox access by delegates are returned, including access by users with Full Mailbox Access permission. External For Exchange Online mailboxes, audit log entries for mailbox access by Microsoft datacenter administrators are returned. Owner Audit log entries for mailbox access by the primary mailbox owner are returned. This value is available only in Exchange 2013 and also requires the ShowDetails switch.
*Mailboxes*	Optional	Microsoft.Exchange. Data.MultiValuedProperty	The Mailboxes parameter specifies the mailboxes for which to retrieve mailbox audit log entries. You can use this parameter to search audit logs for multiple mailboxes. You can’t use the ShowDetails switch with the Mailboxes parameter.
*Operations*	Optional	Microsoft.Exchange. Data.MultiValuedProperty	The Operations parameter filters the search results by the operations that are logged by mailbox audit logging. Valid values for this parameter are: Copy Create FolderBind HardDelete MailboxLogin This value is available only in Exchange 2013, and only when the LogonTypes parameter value Owner is also specified. MessageBind Move MoveToDeletedItems SendAs SendOnBehalf SoftDelete Update You can enter multiple values separated by commas.
*Organization*	Optional	Microsoft.Exchange. Configuration.Tasks. OrganizationIdParameter	The Organization parameter is reserved for internal Microsoft use.
*ResultSize*	Optional	System.Int32	The ResultSize parameter specifies the maximum number of mailbox audit log entries to return. Valid values include an integer from 1 through 250000. By default, 1000 entries are returned.
*ShowDetails*	Optional	System.Management. Automation. SwitchParameter	The ShowDetails switch specifies that details of each log entry be retrieved. By default, all fields for each returned log entry are displayed in a list view. You can’t use the Mailboxes parameter with the ShowDetails switch.
*StartDate*	Optional	Microsoft.Exchange. ExchangeSystem.ExDateTime	The StartDate parameter specifies the start date of the date range. Use the short date format defined in the Regional Options settings for the computer on which the command is run. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 03/01/2010 to specify March 1, 2010. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, you must enclose the argument in quotation marks (“), for example, “10/05/2010 5:00 PM”.

Mailbox audit logging is a great way to track what is going on in mailboxes which may contain sensitive data or are owned by critical users. You can also use it to troubleshoot issues. Whether you use the EMS or EAC, mailbox audit data is available to admins.Launch the EAC.To search multiple mailbox audit logs, you can use the New-MailboxAuditLogSearch cmdlet, but you might prefer to use the EAC. Here is how to do so.

Click on Compliance management.
Click on Auditing.
In Export Mailbox Audit Logs, configure the relevant fields for your search.
Click Export.