Exchange mailbox audit. Part 1

In this and the next article, we will look at the specifics of auditing changes on Microsoft Exchange servers . Let's start with the mailbox audit, and next time we continue with the post about auditing the actions of administrators.

Mailbox auditing is one of the most important functions of Microsoft Exchange 2013. Mailboxes can contain various kinds of information — confidential organization data, work documents, as well as personal data. In many organizations, administrators do not include mailbox auditing on Exchange servers. It is often necessary to conduct some kind of “investigation” of users' actions, but if auditing is not included, then information in the event logs cannot be found.
')
The cases I’m talking about are fairly common:

1. The mailbox was compromised and confidential information was leaked. It is necessary to find out who had access to the box, and what actions took place.
2. The organization has a mailbox, access to it is delegated to several employees (for example, during the head’s vacation time - his deputies). It is necessary to understand - which of them deleted important messages.
3. The organization has a shared mailbox (for example, support@domain.ru), many employees have access to it. It is necessary to understand which of them sent unwanted messages on behalf of the general account.
4. The organization has a standard for recording access to information resources, incl. and mailboxes.

There are three levels of Exchange mailbox auditing:

1. AuditOwner - Information about operations performed by the box owner.
2. AuditDelegate - Information on operations performed by third-party recipients / delegates in a separate box includes the following types of operations: Update, SoftDelete, HardDelete, SendAs, Create.
3. AuditAdmin - Information about operations performed by administrators in a separate box includes the following types of operations: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create.

By default, mailbox auditing is turned off. Once enabled, event audit logs are generated and stored in the Recoverable Items> Audits folder . Audit logs are always saved, even when the mailbox is moved to a new database on the same or another server.
A command to check which audit levels are enabled for a single mailbox:

Get-Mailbox Krishna.kumar | fl *audit* 

Mailbox auditing is enabled using the set-mailbox command with the AuditEnabled parameter set to $ true:

 Set-Mailbox –Identity Krishna.kumar –AuditEnabled $true 

Auditing on all mailboxes in an organization can be enabled using the following small PowerShell script:

 $UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | Set-Mailbox -AuditEnabled $True 

Audit logs are kept by default for 90 days, this parameter can be changed using the set-mailbox command with the AuditLogAgeLimit parameter:

 Set-mailbox –identity Krishna.Kumar –AuditlogAgelimit 120 

Enabling the audit of the actions of the box owner can generate a large number of entries in the audit logs, so by default it is turned off. The figure below shows the default values ​​for all audit levels, i.e. types of transactions that are tracked.


We recommend that you include an audit of only those operations that need to be monitored as part of your “investigations” or for compliance with policies and regulations. Below we have the PowerShell command necessary to enable auditing of the HardDelete operation for the mailbox owner:

 Set-Mailbox -Identity “Krishna.kumar” -AuditOwner HardDelete 

The following actions are logged in mailbox audit logs:

1. Copying objects / messages to folders
2. Sending or receiving messages
3. Attempts to access folders
4. All attempts to delete messages (in the folder "Deleted" or permanently)
5. Moving messages from one folder to another or to the Deleted Items folder
6. Sending messages on behalf of another user
7. Modifying objects and their properties

Event audit logs are generated and stored in the mailbox in the Recoverable Items> Audits folder ; they are hidden from the user's eyes. After you enable auditing, you can search one or more mailboxes at the same time. Search can be done using PowerShell or Exchange Admin Central (EAC).

Searching event logs using PowerShell, here are some examples:

1. The command allows you to search for connection attempts on behalf of “Admin” and “Delegate” in all logs in the time interval in the user box of “Krishna.Kumar”

 Search-MailboxAuditLog -Identity Krishna.Kumar -LogonTypes Admin,Delegate -StartDate 4/1/2014 -EndDate 4/30/2014 -ResultSize 4000 

2. The command allows you to search for “SendAS” operations performed on behalf of “Admin” and “Delegate” in user boxes of “Krishna.Kumar” and “Rajesh.Kumar”

 Search-MailboxAuditLog -Identity Krishna.kumar,rajesh.kumar -LogonTypes Admin,Delegate -ShowDetails -StartDate 4/1/2012 -EndDate 4/1/2014 | Where-Object {$_.Operation -eq “sendas”} 

3. The command allows you to search for “Hard Delete” operations performed on behalf of the owner in the user box of “Krishna.Kumar”

 Search-MailboxAuditLog -Identity Krishna.kumar -LogonTypes Owner -ShowDetails -StartDate 4/1/2014 -EndDate 3/1/2012 | Where-Object {$_.Operation -eq “HardDelete”} 

Search the event logs using the EAC (Exchange Admin Central):

1. Open the EAC console, select Compliance Management> Auditing, then click on the link “Run a non-owner mailbox access report”
   
   
2. Select the date interval and the mailbox in which you want to search and click the "Search" button
   

That, in essence, is all that is required for an administrator to investigate incidents or monitor user actions on Exchange servers.

You can ask any questions (and express your wishes) in the comments or in other social networks: facebook , twitter , vkontakte .