Exchange Mailbox Audit Logging

To help administrators to protect confidential mailbox data and sender integrity, Exchange provides mailbox audit logging to track such message events as View, Update, Delete, Create, Send As, SendOnBehalf, Copy, and Move. You can specify the actions to be audited, based on whether the user is the owner, a delegate (i.e., another user designated by the owner), or a privileged administrator.

With the Exchange mailbox auditing you can detect:

• Users viewing an executive’s confidential email
• Impersonated, fraudulent emails
• Administrators exporting copies of entire mailboxes
• Deletion of emails to cover up evidence

However, mailbox audit logs are inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The mailbox audit logs are stored internally.

As in the case of administrator auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden mailbox audit logs Exchange, parses the log data, and formats it into easy-to-read messages delivered to your SIEM.

More information on Exchange Mailbox Audit Logging

• Configuration
• Storage, Purging, and Archival
• Reporting and Alerting
• Integrating with your SIEM

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Configuration
•	Storage, Purging and Archival
•	Reporting and Alerting
•	SIEM Integration