Mailbox auditing is used for monitoring actions taken within a mailbox, including users who have delegated access.
Auditing is setup on a per mailbox basis and has varying scope levels - for example you can audit specifically users who have been delegated access to the mailbox only.
The following information is recorded as part of an audit log:
Client IP Address
Hostname
User Agent / Client
...
The audit logs are stored within the recoverable items folder of the audited user's mailbox for (by default) a period of 90 days.
In order to enable auditing on a specific mailbox we can use the Set-Mailbox cmdlet:
Set-Mailbox -Identity "Joe Bloggs" -AuditEnabled $true
or for a delegated:
Set-Mailbox -Identity "Joe Bloggs" -AuditDelegate SendAs,SendOnBehalf -AuditEnabled $true
Once we have enabled auditing we will likely want to export those logs at some point:
From ECP go to: Compliance Management > Auditing. Click Export mailbox audit logs.
Finally we can search through the mailbox audit logs with the New-MailboxAuditLogSearch cmdlet:
New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes "Joe Bloggs" -LogonTypes Admin,Delegate -StartDate 05/20/2015 -EndDate 05/31/2015 -StatusMailRecipients [email protected]
The above command looks for any logins from Admins / Delegates to the Joe Bloggs mailbox and sends the results to [email protected]
No comments:
Post a Comment