Hi @Surya kumar ,
if I use the above PowerShell commands, then how inbox rules or sweep rules will be identified in the log? I mean how they are been identified because that was a automatic process, right?
As far as I know, I am afraid it's not feasible to tell if the item was deleted by inbox rules or sweep rules directly using the logs.
Given this, I'd recommend searching the audit log using the operation "MoveToDeletedItems" and see if more clues like logon user name could be found for further analysis:
Search-MailboxAuditLog -Identity user1 -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 4/26/2023 -EndDate 4/28/2023 | Where-Object {$_.Operation -eq "MoveToDeletedItems"} | FL Operation, LogonType, LogonUserDisplayName, SourceItemSubjectsList, ClientProcessName
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.