KBI 310562 New Feature: Exchange Mailbox Audit Monitoring and Archiving
Version
Argent Advanced Technology 3.1A-1307-A or above
Date
Tue, 25 Jun 2013
Summary
Argent for Compliance has the ability to monitor and archive the Exchange mailbox audit logs
Exchange Server 2010 SP1 and later introduces a feature called ‘Mailbox Audit Logging’.
Because mailboxes can potentially contain sensitive, high business impact (HBI) information and personally identifiable information (PII), it’s important that customers can track who logs on to the mailboxes in their organization and what actions are taken. It is especially important to track access to mailboxes by users other than the mailbox owner. These users are referred to as ‘delegate users’.
Technical Background
Using mailbox audit logging, customers can log mailbox access by mailbox owners, delegates (including administrators with full mailbox access permissions), and administrators. Mailboxes are considered to be accessed by an administrator only in the following scenarios:
* In-Place eDiscovery is used to search a mailbox.
* The New-MailboxExportRequest cmdlet is used to export a mailbox.
* Microsoft Exchange Server MAPI Editor is used to access the mailbox.
Mailbox Audit Logging is not turned on for mailboxes by default, so the Exchange administrator has to enable for those mailboxes, which are considered sensitive or where access needs to be logged and audited.
When customers enable audit logging for a mailbox, they can specify which user actions (for example, accessing, moving, or deleting a message) should be logged for a logon type (administrator, delegate user, or owner).
The audit log entries also include important information such as the client IP address, host name, and process or client used to access the mailbox. For items that are moved, the entry includes the name of the destination folder.
Note: For mailboxes such as the Discovery Search Mailbox, which may contain more sensitive information, consider enabling mailbox audit logging for mailbox owner actions such as message deletion.
To see whether a mailbox has audit logging enabled, run the Get-Mailbox command:
To enable a mailbox for audit logging, use the Set-Mailbox command:
To search mailbox audit logs, use the Search-MailboxAuditLog command:
PowerShell Remoting
Argent for Compliance uses PowerShell Remoting to communicate with the Exchange Server. As a result, Argent AT does not need any Exchange components including client tools installed. The Argent AT server can be 32-bit or 64-bit OS.
Argent AT Log Archiving
Mailbox Audit Logs are archived into the typical master log repository – {PREFIX}_LOG_ARCHIVE SQL table. No new SQL table is used for this new feature.
License Exchange Server
In order to monitor and archive Exchange mailbox audit logs, customers must first license the Exchange Server. If the Exchange Server is in a different domain, use Other Credentials to specify the logon credential.
Always do a connectivity test to make sure the Argent AT server can PowerShell Remote into the Exchange Server:
Note:
* Exchange Server must be Exchange 2010 SP1 and later. No such feature is available in previous Exchange versions.
* Connection URI and Schema URI are used in PowerShell Remoting. The default values are fine for current Exchange 2010 and 2013. They are implemented for possible changes in future versions.
Define Exchange Mailbox Audit Log Rules
The Rule is self-explanatory. Customers can filter on LogonTypes (Admin, Delegate, Owner) as well as the following information:
* User Name – It is who did the operation.
* Operation – It can be Update, Copy, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs and SendOnBehalf.
* Operation Result – It can be ‘Succeeded’, ‘Failed’ etc
* Workstation – It is the client machine and IP address.
* Source Mailbox and Folder – It is the original mailbox and folder.
* Destination Mailbox and Folder – It is useful for Move operations.
* Mail Subject – It is the mail subject line.
After defining the Rule, customers can use them in Relators as usual.
Exchange Mailbox Audit Log Summary Report
The built-in Exchange Audit Reports can be used to read the archived mailbox audit events. The most important setting in the report is that Log Type must be set as ‘Exchange Mailbox Audit’. The ‘Refresh’ button can be used if the log type is not in the list.
Customers can use the ‘Advanced Log Filter’ to list specific events. For example, setting the Category to ‘SoftDelete’ will list out the events for message deletions.
Resolution
Upgrade To Argent Advanced Technology 3.1A-1307 or later