Exchange Online, Microsoft Exchange Online Dedicated
Original KB number:4021960
Summary
In Microsoft 365, you can run mailbox audit logs to determine when a mailbox was updated unexpectedly or whether items are missing from a mailbox. You may have to do this, for example, if items are moved or if they're deleted unexpectedly or incorrectly.
For the vNext environment, please note that mailbox audit logs are not enabled by default and need to be turned on for a user before beginning a search.
How to run and check mailbox audit logs
Mailbox audit logging lets users obtain information about actions that are performed by non-owners and administrators. Mailbox audit logging is available to members of the Audit Reporting Mailbox self-service group only by using Windows Remote PowerShell.
Note
By default, only non-owner mailbox audit logging is enabled, and owner mailbox audit logging is disabled. If you have to perform owner mailbox audit logging to investigate a specific issue, you can temporarily enable the process for a two-week period.
Some organizations may not enable you to use mailbox audit logging and, therefore, have turned off the feature.
To investigate this issue, create and use a Windows PowerShell script by using the sample script that's provided in the Step 1 in this section, and then customize a search. By default, you can investigate actions that are performed by non-owners and administrators. This script exports content in a simplified, comma-separated values (.csv) file to help you troubleshoot reports about items that are missing or that were updated unexpectedly.
Important
Customers are encouraged to use the script that's provided by Microsoft Online Services to help in certain investigations. Microsoft Online Services scripts are generic, and they should be usable in all customer environments. If errors occur when a script is run, the content of the script should be used as an example to create a customized script for a particular customer environment. Microsoft Online Services provides the script as a convenience to Microsoft 365 customers without warranty, expressed or implied.
Start Notepad, and then copy the following code into the file. The code uses the search-mailboxAuditLog command that is part of Microsoft Exchange Server.
In the File name box, type Run-MailboxAuditLogSearcher.ps1, and then click Save.
Start Windows PowerShell, and then connect to Windows Remote PowerShell.
Locate the directory in which you saved the script, and then run the script.
.\Run-MailboxAuditLogSearcher.ps1
Note
If you run the script without parameters, you will be prompted for the following default parameters:
Mailbox
StartDate
EndDate
To search for entries from the current day, add one day to the end-date value in the prompt window. For example, if the current date is 3/14/2017, and you want to include the current day in your search, enter 3/15/2017 as the end date.
Step 2: Customize a mailbox audit log search
In Microsoft 365, mailbox audit logging entries are retained in the mailbox for 90 days. You are prompted to indicate a start date and end date for the search. You can use several optional parameters to customize the search. For a description of these parameters, see the 'More Information' section.
If items are found after the script runs, you receive a message that resembles the following:
This example message indicates that the search process has found 11 entries. By default, the FolderBind entries are filtered out, and the following operation types remain:
Copy
Create
HardDelete
MessageBind
Move
MoveToDeletedItems
SendAs
SendOnBehalf
SoftDelete
Update
Note
The FolderBind operation indicates the times at which the mailbox is accessed by a non-owner. This is the most common operation. You do not have to view the FolderBind operations when you investigate an item that is updated or deleted.
Review the output of the .csv file. The most useful columns are exported, and some of these columns are merged to make the output easier to review. For more information about the columns that are exported, see the 'More Information' section.
Owner mailbox audit logging
By default. owner audit logging is not turned on. It should only be used if you have to investigate an action by the owner of the mailbox. It should be used for a limited time period, approximately two weeks. This is because the audit log entries are stored in the mailbox, and this may cause the mailbox dumpster to exceed the size limit.
To enable owner audit logging, follow these steps:
Determine whether mailbox audit logging is enabled. To do this, run the following cmdlet:
Get-Mailbox <useridentity> | ft AuditEnabled
If the result is True, skip this step. If the result is False, run the following cmdlet in Windows PowerShell:
Set-Mailbox <useridentity> -AuditEnabled $true
Enable the owner audit logging. To do this, run the following cmdlet:
Rerun the Run-MailboxAuditLogSearcher.ps1, and review the data.
After the troubleshooting is complete, disable owner audit logging. To do this, run the following cmdlet:
Set-Mailbox <useridentity> -AuditOwner $none
More Information
Optional script parameters
The following list describes optional parameters that generate different results when they are used together with the Run-MailboxAuditLogSearcher script:
IncludeFolderBind: When you use this switch, the FolderBind operation is not filtered from the output. You can use FolderBind information to investigate mailbox access issue.
For example, the following cmdlet searches the "Test User 1" mailbox and includes all operations:
.\Run-MailboxAuditLogSearcher.ps1 -IncludeFolderBind -Mailbox "<Test User 1gt;" -StartDate "<04/10/17gt;" -EndDate "<04/27/17gt;"
Subject: When you use this switch, you can specify the subject of an item in order to limit the search for operations that are performed on that item.
For example, the following cmdlet filters out all output except items that have the subject set as 'Good News':
ReturnObject: When you use this switch, the result is displayed on the screen, but it is not exported to a .csv file.
For example, the following cmdlet displays the output on the screen:
.\Run-MailboxAuditLogSearcher.ps1 -ReturnObject -Mailbox "<Test User 1gt;" -StartDate "<04/10/17gt;" -EndDate "<04/27/17gt;"
Exported columns from the .csv file
The most useful columns of the .csv file are exported. Some of these columns are merged to make the output easier to review. The following table lists the columns that are exported.
Column
Description
Subject
Subject of item
Operation
Actions that are performed on item
LogonUserDisplayName
Display name of user who is logged o
LastAccessed
Time at which the operation was performed
DestFolderPathName
Destination folder for the move operation
FolderPathName
Path of folder
ClientInfoString
Details about the client that performs the operation
LastAccessed
IP address for the client computer
ClientMachineName
Name of the client computer
ClientProcessName
Name of the client application process
ClientVersion
Version of the client application
LogonType
Logon type of the user who performs the operationNote Logon types includes the following: - Delegate for non-owner - Administrator - Mailbox owner (not logged by default)
MailboxResolvedOwnerName
Resolved name of mailbox userNote Resolved name is in the following format:Domain\SamAccountName
OperationResult
Status of the operationNote Operation results include the following: - Failed - PartiallySucceeded - Succeeded
CrossMailboxOperation
Information about whether the operation logged is a cross-mailbox operation (for example, copying or moving messages among mailboxes)
More information about mailbox audit logging
The Search-MailboxAuditLog cmdlet is used in the sample script in Step 1 to search a single mailbox synchronously. You can also do this by running the cmdlet in Windows Remote PowerShell.
For more information about the cmdlet, go to the following TechNet article:
Search-MailboxAuditLog
You can search one or more mailboxes asynchronously. To do this, run the following cmdlet in Windows Remote PowerShell:
New-MailboxAuditLogSearch
For more information about this cmdlet, go to the following TechNet article:
New-MailboxAuditLogSearch
For more information about the default mailbox audit logging entries, go to the 'Mailbox audit log entries' section of the following TechNet article:
Sign in to the Security & Compliance Center with your Office 365 Admin user account.Select Search & Investigation, and then select Audit log search.Select the activities you want to audit. For example, mailbox activities such as one or more users signing into their mailbox or purging email.
You can use the following methods to search mailbox audit log entries: Synchronously search a single mailbox: You can use the Search-MailboxAuditLog cmdlet to synchronously search mailbox audit log entries for a single mailbox. The cmdlet displays search results in the Exchange Management Shell window.
Manually enable mailbox auditing on individual mailboxes (run the command, Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true ). After you do this, you can use audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API.
Office 365 Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was.
You can retain audit logs for up to 10 years. You can create policies based on the following criteria: All activities in one or more Microsoft 365 services. Specific activities (in a Microsoft 365 service) performed by all users or by specific users.
In Resource type, select the Google Cloud resource whose audit logs you want to see. In Log name, select the audit log type that you want to see: For Admin Activity audit logs, select activity. For Data Access audit logs, select data_access.
Audit logs allow you to search, review, and export logs regarding account access and configuration changes made by administrators. This applies to Administrators responsible for monitoring changes and events that have occurred in their account.
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity.
In the EAC, go to Compliance Management > Auditing.
Click Export mailbox audit logs.
Configure the following search criteria for exporting the entries from the mailbox audit log: Start and end dates: Select the date range for the entries to include in the exported file. ...
Audit log has records providing information about who has accessed the system and what operations he or she has performed during a given period of time. Audit logs are useful both for maintaining security and for recovering lost transactions.
Audit logs contain detailed historical information that can be used to reconstruct the timeline of a system outage or incident. For instance, logs can help distinguish between operator error and system error.
Audit trails (or audit logs) act as record-keepers that document evidence of certain events, procedures or operations, so their purpose is to reduce fraud, material errors, and unauthorized use.
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Exchange message trace. To go directly to the message trace page, use https://admin.exchange.microsoft.com/#/messagetrace.
The user will be able to view the contents of the mailboxes from either Outlook or Outlook Web App. For more information, see How to use Windows PowerShell to grant an admin access to all user mailboxes in Microsoft 365.
Impossible to check all transactions – The key disadvantage of performing an audit is that it is impossible to check all transactions that are taking place in the company. This makes constant monitoring a challenge for audits in business settings.
That's why the most important log retention best practice is to archive logs into a central repository, such as a security information and event management (SIEM) platform. A SIEM not only collects logs, but it correlates logs and other security-related documentation for analysis.
As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage).
Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was.
There are four types of audit logs that you'll work with. They include Admin Activity audit logs, Data Access audit logs, System Event audit logs, and Policy Denied audit logs. These logs are used to track down who did what, where they did it, and when.
The audit log displays a timeline of changes made to fields on a record; the historical summary shows activities like calls and meetings that are related to a record; and the record's activity stream shows changes, linked records, and user comments.
The activity log includes information like when a resource is modified or a virtual machine is started. Audit Logs - All resource logs that record customer interactions with data or the settings of the service. Next time, do not forget to include a link to the documentation you are referring to.
Transaction Log - captures all changes to data caused by end users, rules or processes. Audit Log - captures changes to metadata, security, logon information and other system activity detail.
Examples of events that should be audit logged are as follows: application specific user activities, exceptions, information security events (successful and rejected events), use of privileges, log-on failed-attempts & successes, log-off, data accessed, data attempted to be accessed, administrative configuration ...
To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center: Log in as an administrator. In the Security & Compliance Center, expand Search then select Audit log search. Click Start recording user and admin activities next to the information warning at the top.
To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below. Search the Security Windows Logs for the event ID 4656 with the Audit Failed keyword to find out who tried changing a file or folder.
In an office audit, a representative from the Internal Revenue Service (IRS) interviews the taxpayer and inspects the taxpayer's records in-person, usually at an IRS office. The purpose of an office audit is to make sure the taxpayer is accurately reporting income and deductions and paying the lawful amount of tax.
An email audit helps you to review the deliverability of your email marketing campaign. It helps to detect issues that might exist and can thus help you mitigate potential email security risks. There are two different ways for carrying out an email audit: Internal audit (carried out by members of the organization)
By default, the Audit system stores log entries in the /var/log/audit/audit.log file; if log rotation is enabled, rotated audit. log files are stored in the same directory.
With the Audit Log you can reduce the risk of data loss and handle such cases on your own, quickly and easily. You can find the deleted Records in a Form, Folder or in the entire Database and review which user deleted them and when.
As a baseline, most organizations keep audit logs, IDS logs and firewall logs for at least two months. On the other hand, various laws and regulations require businesses to keep logs for durations varying between six months and seven years. Below you can find some of those regulations and required durations.
Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002
Phone: +813077629322
Job: Real-Estate Executive
Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating
Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.