Exchange Mailbox Audit Logging

To help administrators to protect confidential mailbox data and sender integrity, Exchange provides mailbox audit logging to track such message events as View, Update, Delete, Create, Send As, SendOnBehalf, Copy, and Move. You can specify the actions to be audited, based on whether the user is the owner, a delegate (i.e., another user designated by the owner), or a privileged administrator.

With the Exchange mailbox auditing you can detect:

  • Users viewing an executive’s confidential email
  • Impersonated, fraudulent emails
  • Administrators exporting copies of entire mailboxes
  • Deletion of emails to cover up evidence

However, mailbox audit logs are inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The mailbox audit logs are stored internally.

As in the case of administrator auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden mailbox audit logs Exchange, parses the log data, and formats it into easy-to-read messages delivered to your SIEM.

More information on Exchange Mailbox Audit Logging


Upcoming Webinars
    Additional Resources