The Audit mailbox option is a very useful feature that enables us to get detailed information about all the operations, and the activities related to
the “Mailbox” object. Generally speaking, there are couples of “audit type." In this article, I would like to focus upon the audit type
described as: “Non-Owner Mailbox Access." This option enables us to get detailed information about: who did what and when relating to a specific mailbox. The mailbox Auditing include 3 levels:
Non-Owner Mailbox Access audit
The Non-Owner Mailbox Access audit is not enabled by default. The meaning is, that in case we want to use the “audit” option, we will need to “turn on” the audit. The option to audit mailbox is suitable for a scenario such as: when user complain that a mail is “disappearing” from his mailbox, and he have no idea how did this happened. Another scenario could be that we suspect the “someone” try to create unauthorized access to a user's mailbox and so on.
in each of the chapter headers (colored in blow). white space
Information and help related to PowerShell
In case that you are a novice in the PowerShell environment, you can use the following link to get more information about the “first steps” such as: downloading the required PowerShell software components, how to use the PowerShell console, running a PowerShell script, etc.| Link Table |
|
PowerShell Naming Conventions & general information
If you want to get more information about the Naming Conventions that we use for this article and get some general tips about: how to work with the PowerShell, read the article: Help and additional information - o365info.com PowerShell articles |
|
Create remote PowerShell session
Before we can use the required PowerShell commands, we need to download and install the office 365 cmdlets + create remote PowerShell session to office 365 or Exchange Online. If you need more information about how to create a remote PowerShell session read the following articles: Part 2: Connect to Office 365 by using Remote PowerShell and Part 3: Connect to Exchange online by using Remote PowerShell |
|
How to use a PowerShell script
Most of the PowerShell articles include a PowerShell script that simplifies the use of the PowerShell commands. If you want to get more information about: How to use a PowerShell script, read the article: Connect to office 365 and Exchange online using a script |
|
PowerShell command and Script languish in more details
If you are new to the PowerShell world, you can read more information about PowerShell in office 365 environment in the article: The Power of PowerShell |
txt
1 - Enable/Disable Mailbox Audit ( Non-Owner Mailbox Access Report )
Enable Mailbox Audit (Non-Owner Mailbox Access Report) for a specific mailbox
Set-Mailbox <Identity> -AuditEnabled $True
Enable Mailbox Audit (Non-Owner Mailbox Access Report) for ALL mailbox’s (Bulk mode)
$UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $True}
Disable Mailbox Audit (Non-Owner Mailbox Access Report) for a specific mailbox
Set-Mailbox <Identity> -AuditEnabled $False
Disable Mailbox Audit (Non-Owner Mailbox Access Report) for ALL mailbox’s (Bulk mode)
$UserMailboxes = Get-Mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $False}
2 - Set the Type of Mailbox Audit + Non default Audit operations
Set Mailbox Audit – AuditAdmin
Set-Mailbox <Identity> -AuditAdmin <list of operations>
Set Mailbox Audit – Audit Delegate
Set-Mailbox <Identity> –AuditDelegate <list of operations>
Enable Audit + Set Mailbox Audit for AuditAdmin and AuditDelegate
Set-mailbox John -AuditEnabled $True -AuditDelegate Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems -AuditAdmin Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems
3 - Display information about Audit settings
Display information about Audit logging for a specific mailbox - AuditDelegate
Get-Mailbox <Identity> | Select-Object –ExpandProperty AuditDelegate
Display information about Audit logging for a specific mailbox - AuditAdmin
Get-Mailbox <Identity> | Select-Object -ExpandProperty AuditAdmin
Display information about recipient Audit folder
Get-MailboxFolderStatistics <Identity> | ? {$_.Name -eq "Audits" -and $_.FolderType -eq "Audits"} | FT Identity, ItemsInFolder, FolderSize -AutoSize
Display information about all of the mailboxes that are Audited
Get-Mailbox | Where {$_.AuditEnabled -eq “$True”}
View administrator Audit logging settings
Get-AdminAuditLogConfig
4 - Display information about mailbox and folder permissions
Display information about Audit logging for a specific mailbox - AuditDelegate
Get-Mailboxfolder <Identity> -GetChildren | Get-MailboxFolderPermission | Where-Object {-not ($_.AccessRights -like '*None*')
5 - Search for information in the Audit Log
Display all the Audit information that was collected for a specific mailbox
Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate -ShowDetails
Display Audit information for “Send As” activities
Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate -ShowDetails | Where-Object {$_.Operation -eq "Sendas"} |select MailboxResolvedOwnerName, LastAccessed, Operation,OperationResult,LogonUserDisplayName,LogonType ,ItemSubject,FolderPathName,InternalLogonType,SourceItemSubjectsList,SourceItemFolderPathNamesList,ClientProcessName,ClientInfoString
Display Audit information about a mailbox from specific date range
Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –ResultSize <Number>
Display Audit information about a mailbox from specific date range for “HardDelete” activities
Search-MailboxAuditLog <Identity> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –ResultSize <Number> | Where-Object {$_.Operation -eq "HardDelete"}
Display the content of the administrator audit log (show all events)
Search-AdminAuditLog
Search the contents of the administrator Audit log
Search-AdminAuditLog – Cmdlets <cmdlet 1, cmdlet 2, ...> –Parameters <Parameter 1, parameter 2, ...> –StartDate <Start date> –EndDate <End date> –UserIds <user IDs> –ObjectIds <object IDs> -IsSuccess <$True | $False >
Search the contents of the administrator Audit log - look for specific user
Search-AdminAuditLog -UserIds <Identity>
6 - Audit General Settings
Configure Outlook Web App to allow XML attachments
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'
Set Audit retention number of days
Set-Mailbox <Identity> -AuditLogAgeLimit <Days>
Suppressing Audits for Specific Mailboxes
Set-MailboxAuditBypassAssociation <Identity> -AuditBypassEnabled $True
Mailbox Auditing: Export Audit information to XML File + Send the result to Email address
New-MailboxAuditLogSearch –Name <String> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –StatusMailRecipients <Email Address>
Administrator Auditing: Export Audit information to XML File + Send the result to Email address
New-AdminAuditLogSearch –Name <String> -LogonTypes Admin,Delegate –StartDate <mm/dd/yy> –EndDate <mm/dd/yy> –StatusMailRecipients <Email Address>
Script Box
For your convent, I have “Wrapped” all of the PowerShell commands that was reviewed, In a PowerShell Script named: Audit.ps1
Download
We relay like to know what is your opinion on the Article
Written by edoron777
We are Creative Blogger Theme Wavers which provides user friendly, effective and easy to use themes. Each support has free and providing HD support screen casting.
About
Tags
Popular
0 comments:
Post a Comment