Audit Exchange mailboxes. Part 1

Original author: Krishna Kumar
  • Transfer


In this and the next article, we will consider the features of audit changes on Microsoft Exchange servers . Let's start with the audit of mailboxes, and next time we continue with the post about the audit of administrators.

Mailbox auditing is one of the most important functions of Microsoft Exchange 2013. Mailboxes can contain various kinds of information - confidential data of the organization, working documents, as well as personal data. In many organizations, administrators do not enable mailbox auditing on Exchange servers. Often it is necessary to conduct some kind of “investigation” of user actions, but if audit is not included, then information in the event logs cannot be found.

The cases I'm talking about are fairly common:
  1. The mailbox was compromised, confidential information leaked. It is necessary to find out who had access to the box, and what actions took place.
  2. The organization has a mailbox, access to it is delegated to several employees (for example, for the period of vacation of the head - to his deputies). You need to understand - which of them deleted important messages.
  3. The organization has a common mailbox (for example, support@domain.ru), many employees have access to it. You need to understand which of them sent unsolicited messages on behalf of a shared account.
  4. The organization has a standard for logging access to information resources, incl. and mailboxes.



There are three levels of auditing Exchange mailboxes:
  1. AuditOwner - Information about operations carried out by the owner of the box.
  2. AuditDelegate - Information on operations performed by third-party recipients / delegates in a separate mailbox includes the following types of operations: Update, SoftDelete, HardDelete, SendAs, Create.
  3. AuditAdmin - Information about operations performed by administrators in a separate mailbox includes the following types of operations: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create.


By default, mailbox auditing is turned off. Once enabled, event audit logs are generated and stored in the Recoverable Items> Audits folder . Audit logs are always saved, even when moving a mailbox to a new database on the same or another server.
The command to check which audit levels are enabled for a particular mailbox:
Get-Mailbox Krishna.kumar | fl *audit*



Mailbox auditing is enabled using the set-mailbox command with the AuditEnabled parameter equal to $ true:

Set-Mailbox  –Identity Krishna.kumar –AuditEnabled $true



You can enable auditing on all mailboxes in your organization using the following small PowerShell script:

$UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)}
$UserMailboxes | Set-Mailbox -AuditEnabled $True


Audit logs are stored by default for 90 days, this parameter can be changed using the set-mailbox command with the AuditLogAgeLimit parameter:

Set-mailbox –identity Krishna.Kumar –AuditlogAgelimit 120



Enabling audit of actions by the owner of the box can generate a large number of entries in the audit logs, therefore it is turned off by default. The figure below shows the default values ​​for all audit levels, i.e. types of operations that are tracked.


We recommend that you include an audit of only those transactions that need to be monitored as part of your “investigations” or to comply with policies and regulations. We've included the PowerShell command below to enable auditing of the HardDelete operation for the mailbox owner:

Set-Mailbox -Identity “Krishna.kumar” -AuditOwner HardDelete



The following actions are logged in the mailbox audit logs:
  1. Copy objects / messages to folders
  2. Sending or receiving messages
  3. Folder Access Attempts
  4. All attempts to delete messages (in the Deleted Items folder or permanently)
  5. Moving messages from one folder to another or to the Deleted Items folder
  6. Sending messages as another user
  7. Changing objects and their properties


Event audit logs are generated and stored in the mailbox, in the “Recoverable Items> Audits” folder , they are hidden from the user's eyes. After you enable auditing, you can search one or more mailboxes at the same time. You can search using PowerShell or the EAC (Exchange Admin Central).

Searching the event logs using PowerShell, here are a few examples:

1. The command allows you to search for connection attempts on behalf of “Admin” and “Delegate” in all logs in the time interval in the user’s mailbox “Krishna.Kumar”

Search-MailboxAuditLog -Identity Krishna.Kumar -LogonTypes Admin,Delegate -StartDate 4/1/2014 -EndDate 4/30/2014 -ResultSize 4000


2. The command allows you to search for “SendAS” operations performed on behalf of “Admin” and “Delegate” in the user boxes “Krishna.Kumar” and “Rajesh.Kumar”

Search-MailboxAuditLog -Identity Krishna.kumar,rajesh.kumar -LogonTypes Admin,Delegate -ShowDetails -StartDate 4/1/2012 -EndDate 4/1/2014 | Where-Object {$_.Operation -eq “sendas”}


3. The command allows you to search for operations "Hard Delete" performed on behalf of the owner in the user box "Krishna.Kumar"

Search-MailboxAuditLog -Identity Krishna.kumar -LogonTypes Owner -ShowDetails -StartDate 4/1/2014 -EndDate 3/1/2012 | Where-Object {$_.Operation -eq “HardDelete”}


Search event logs using the EAC (Exchange Admin Central):

  1. Open the EAC console, select Compliance Management> Auditing, then click on the Run a non-owner mailbox access report link

  2. Select the date range and the mailbox in which you want to search and click the "Search" button


That, in fact, is all that an administrator needs to investigate incidents or monitor user activity on Exchange servers.

You can ask any questions (and express your wishes) in the comments or in other social networks: facebook , twitter , vkontakte .

Also popular now: