Wednesday, March 2, 2011

Mailbox Auditing Explained


What is mailbox audit logging?

Mailbox audit logging is used for tracking logons to a specific mailbox as well as actions and changes that are made during the session.  It can also be used to track ‘Send As,’ ‘SendOnBehalfOf,’  creations, deletions, etc.

This logging can generate many logs which can consume a good amount of space, and is thus disabled by default.

Enabling mailbox audit logging on a mailbox

Example cmdlet to enable:

Set-Mailbox -Identity "JoshTest" -AuditEnabled $true

In order to perform mailbox audit logging, you need to be a member of a role group with the “Audit Logs” role assigned to it.  Two default role groups that have this functionality are:

  • Organization Management
  • Records Management

You can create custom role groups as well; reference the ‘RBAC Explained’ article.

Enabling auditing will automatically include administrator and delegate actions by default, while omitting actions made by the mailbox owner.

Searching mailbox audit logs

There are three ways to search mailbox audit logs: Synchronous, Asynchronous, GUI (via ECP).

Example Type: 
Synchronous.

Task Description:                            
Perform a synchronous mailbox audit log search with the goal of finding all audit log entries for JoshTest’s mailbox regarding admin/delegate actions in the time frame of 2/20/2011 – 2/25/2011, and display the results in the powershell window.

Cmdlet Example:        
    
Search-MailboxAuditLog -Identity JoshTest -LogonTypes Admin,Delegate -StartDate 2/20/2011 -EndDate 2/25/2011

Full Syntax Considerations:       


Example Type:                 
Asynchronous.

Task:                                    
Perform an asynchronous mailbox audit log search with the goal of finding all audit log entries for JoshTest's mailbox regarding delegate actions in the time frame of 2/20/2011 – 2/25/2011, and populate an XML file with the results to be delivered via e-mail upon completion.

Cmdlet Example:                            

New-MailboxAuditLogSearch "Delegate Actions on JoshTest" -Mailboxes "JoshTest" -LogonTypes Delegate -StartDate 3/1/2011 –EndDate 3/1/2011 -StatusMailRecipients Mailbox.Auditor@azaleos.com

Full Syntax Considerations:       

Example Type:                 
GUI / ECP

Task:                    
Perform a mailbox audit log search via the ECP with the goal of finding all audit log entries for a user regarding administrative actions on 3/1/2011, and populate an XML file with the results to be delivered via e-mail upon completion.

Steps:
Log in as an admin account (see prior requirements) to the ECP, or to OWA and enter the ECP via the Options section.





Navigate to ‘Roles and Auditing’ and then ‘Auditing.’



Export mailbox audit logs:



Fill out the criteria for the user to search, the scope, and who to send the report to:



In time, you will receive the output in XML format at the e-mail address specified:



Full Considerations:      

Interpreting the mailbox audit log
Example:

MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c" 
Owner="AVictim" 
LastAccessed="2011-03-01T22:42:41.0772536-07:00" 
Operation="SendAs"
ItemId="RgAAAADH7DJI8nRmW9d7HDLIvGH+JsErT8IbDiflR6zCD/BEMJIcAAAA4j5cAABaE7PuVtsyT6zCD/BEMJIcAAAA4pUbAAAJ" 
ItemSubject="You're fired!" 
OperationResult="Succeeded" 
LogonType="Delegate" 
ClientInfoString="Client=OWA" 
ClientIPAddress="10.10.15.15" 
InternalLogonType="Owner" 
MailboxOwnerUPN="AVictim@raymond.com" 
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723"
LogonUserDisplayName="A. Badman" 
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722"
OriginatingServer="EXCHANGE01 (14.01.0218.011)"

MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c" 
Owner=" AVictim" 
LastAccessed="2011-03-01T22:42:41.061631-07:00"
Operation="Create" 
ItemId="RgAAAADH7DJI8nRmW9d7HDLIvGH+JsErT8IbDiflR6zCD/BEMJIcAAAA4j5cAABaE7PuVtsyT6zCD/BEMJIcAAAA4pUbAAAJ" 
ItemSubject="You're fired!" 
OperationResult="Succeeded" 
LogonType="Delegate" 
FolderId="LgAAAABN9DVF1dUmR6o4DOZQiD9+AQBaE7PuVtsyT6zCD/BEMJIcAAAA4j5cAAAB" FolderPathName="\Drafts" 
ClientInfoString="Client=OWA" 
ClientIPAddress="10.10.15.15" 
InternalLogonType="Owner" 
MailboxOwnerUPN=" AVictim@raymond.com" 
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723" 
LogonUserDisplayName="A. Badman" 
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722" 
OriginatingServer="EXCHANGE01 (14.01.0218.011)



Judging by this output, it looks like A. Badman has logged on successfully, created the original draft, and sent an e-mail as (Send As) A. Victim via OWA at 22:42:41 on 3/1/2011.  It also looks like the e-mail wasn’t work appropriate with a subject like that!
 

MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c" 
Owner=" AVictim"
LastAccessed="2011-03-01T23:18:51.2507346-07:00" 
Operation="HardDelete" 
OperationResult="Succeeded" 
LogonType="Delegate" 
FolderId="LgAAAABN9DVF1dUmR6o4DOZQiD9+AQBaE7PuVtsyT6zCD/BEMJIcAAAA4j5RAAAB" 
FolderPathName="\Inbox" 
ClientInfoString="Client=MSExchangeRPC" 
ClientIPAddress="10.10.15.15" 
ClientProcessName="OUTLOOK.EXE" 
ClientVersion="12.0.6550.5000" 
InternalLogonType="Owner" 
MailboxOwnerUPN="AVictim@raymond.com" 
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723" 
CrossMailboxOperation="false" 
LogonUserDisplayName="A. Badman" 
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722" 
OriginatingServer="EXCHANGE01 (14.01.0218.011)"



It would also appear that A. Badman has been busy deleting items from the mailbox as well.  You can see from the log that this was done via Outlook 2007.



A quick-hit list of the important fields:
Field
Description
Owner
The owner of the mailbox that was accessed by a non-owner.
LastAccessed
The date and time when the mailbox was accessed.
Operation
The action that was performed by the non-owner. For more information, see the " What gets logged in the mailbox audit log?" section in Run a Non-Owner Mailbox Access Report
OperationResult
Whether the action performed by the non-owner succeeded or failed.
LogonType
The type of non-owner access. These include administrator, delegate, and external.
FolderPathName
The name of the folder that contained the message that was affected by the non-owner.
ClientInfoString
Information about the mail client used by the non-owner to access the mailbox.
ClientIPAddress
The IP address of the computer used by the non-owner to access the mailbox.
InternalLogonType
The logon type of the account used by the non-owner to access this mailbox.
MailboxOwnerUPN
The e-mail address of the mailbox owner.
LogonUserDN
The display name of the non-owner.
Subject
The subject line of the e-mail message that was affected by the non-owner.
Table originally pulled from outlook help link located here.

The full field list is here: