365 Audit search and inbox rules not everything?

Daniel Klobnak 266 Reputation points
2023-05-24T21:48:47.58+00:00

Wondering if I am missing something in my review of Audits via Compliance Audit. Unfortunately get-inboxrule does not include a creation date. We have auditing enabled for the mailboxes. We get audit data but it seems incomplete. Even did a control.

Initial search of Exchange Workload included

New-InboxRule created rule from Outlook Web App

Set-InboxRule Modify inbox rule from Outlook Web App

Update inbox rules from Outlook Client

Now the activities above are self-explanatory I suppose.

(we also then expanded for all Activities with Exchange Workload and the results were the same). We could see when a rule was created from web, but not deleted (which we believe was from web).

For a test I created two rules, both on Outlook Web App.

I then modified one rule on Outlook Web App, and one rule on Outlook Client.

I then deleted one rule on Outlook Web App, and one rule on Outlook Client.

The next day when I ran audit, it reflected only one rule was created and only one rule was modified (both related to same rule. Modified on web - but again both were created.)

So am I correct to assume that inbox rules are only going to be audited on web side (and inconsistently) though the changes made on the Outlook client are reflected on the web-based client? And no deletion of the rule will be audited, or do we need to expand the Workload to include other areas than Exchange?

I have management not appreciating the why. So either correct me on how to do it correctly, or point me to something that explains this if possible. Thank you.

Microsoft Exchange Online
Windows 365 Enterprise
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,271 Reputation points MVP
    2023-05-24T22:00:49.15+00:00

    Hello @Daniel Klobnak !

    I understand you need Audit Logs for Outlook Client as well

    I have to point you to

    https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-activities?view=o365-worldwide

    and particularly Search-UnifiedAuditLog

    As you can see below :

    You can also search for mailbox activities by using the Search-MailboxAuditLog cmdlet in Exchange Online PowerShell.

    Accessed mailbox items MailItemsAccessed Messages were read or accessed in mailbox. Audit records for this activity are triggered in one of two ways: when a mail client (such as Outlook) performs a bind operation on messages or when mail protocols (such as Exchange ActiveSync or IMAP) sync items in a mail folder. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. Analyzing audit records for this activity is useful when investigating compromised email account. For more information, see the "Audit (Premium) events" section in Audit (Premium).
    Added delegate mailbox permissions Add-MailboxPermission An administrator assigned the FullAccess mailbox permission to a user (known as a delegate) to another person's mailbox. The FullAccess permission allows the delegate to open the other person's mailbox, and read and manage the contents of the mailbox. The audit record for this activity is also generated when a system account in the Microsoft 365 service periodically performs maintenance tasks in behalf of your organization. A common task performed by a system account is updating the permissions for system mailboxes. For more information, see System accounts in Exchange mailbox audit records.
    Added or removed user with delegate access to calendar folder UpdateCalendarDelegation A user was added or removed as a delegate to the calendar of another user's mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.
    Added permissions to folder AddFolderPermissions A folder permission was added. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
    Copied messages to another folder Copy A message was copied to another folder.
    Created mailbox item Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox. For example, a new meeting request is created. Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.
    Created new inbox rule in Outlook web app New-InboxRule A mailbox owner or other user with access to the mailbox created an inbox rule in the Outlook web app.
    Deleted messages from Deleted Items folder SoftDelete A message was permanently deleted or deleted from the Deleted Items folder. These items are moved to the Recoverable Items folder. Messages are also moved to the Recoverable Items folder when a user selects it and presses Shift+Delete.
    Labeled message as a record ApplyRecordLabel A message was classified as a record. Occurs when a retention label that classifies content as a record is manually or automatically applied to a message.
    Moved messages to another folder Move A message was moved to another folder.
    Moved messages to Deleted Items folder MoveToDeletedItems A message was deleted and moved to the Deleted Items folder.
    Modified folder permission UpdateFolderPermissions A folder permission was changed. Folder permissions control which users in your organization can access mailbox folders and the messages in the folder.
    Modified inbox rule from Outlook web app Set-InboxRule A mailbox owner or other user with access to the mailbox modified an inbox rule using the Outlook web app.
    Purged messages from the mailbox HardDelete A message was purged from the Recoverable Items folder (permanently deleted from the mailbox).
    Removed delegate mailbox permissions Remove-MailboxPermission An administrator removed the FullAccess permission (that was assigned to a delegate) from a person's mailbox. After the FullAccess permission is removed, the delegate can't open the other person's mailbox or access any content in it.
    Removed permissions from folder RemoveFolderPermissions A folder permission was removed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.
    Sent message Send A message was sent, replied to or forwarded. This activity is only logged for users with an Office 365 or Microsoft 365 E5 license. For more information, see the "Audit (Premium) events" section in Audit (Premium).
    Sent message using Send As permissions SendAs A message was sent using the SendAs permission. This means that another user sent the message as though it came from the mailbox owner.
    Sent message using Send On Behalf permissions SendOnBehalf A message was sent using the SendOnBehalf permission. This means that another user sent the message on behalf of the mailbox owner. The message indicates to the recipient whom the message was sent on behalf of and who actually sent the message.
    Updated inbox rules from Outlook client UpdateInboxRules A mailbox owner or other user with access to the mailbox created, modified, or removed an inbox rule by using the Outlook client.
    Updated message Update A message or its properties was changed.
    User signed in to mailbox MailboxLogin The user signed in to their mailbox.
    Label message as a record A user applied a retention label to an email message and that label is configured to mark the item as a record.

    Before you search the audit log

    Be sure to review the following items before you start searching the audit log.

    • Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:

    PowerShell

    Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
    

    The value of True for the UnifiedAuditLogIngestionEnabled property indicates that audit log search is turned on. For more information, see Turn audit log search on or off.

    Important

    Be sure to run the previous command in Exchange Online PowerShell. Although the Get-AdminAuditLogConfig cmdlet is also available in Security & Compliance PowerShell, the UnifiedAuditLogIngestionEnabled property is always False, even when audit log search is turned on.

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards


1 additional answer

Sort by: Most helpful
  1. Daniel Klobnak 266 Reputation points
    2023-05-31T16:52:03.4566667+00:00

    There were a number of items involved. First - did confirm that UnifiedAuditLogIngestionEnabled as well as Get-organizationConfig | fl auditdisabled etc. I assumed all was in place as I was able to get partial information prior to opening this question.

    In any event - while certain InboxRule auditing was not available via Compliance Audit to provide a complete picture, I did find exactly what I was looking for using

    Exchange Admin Center (Classic) > Compliance Management > Auditing > Run the Admin Auto log

    However, I continued to review - I determined that

    Search-MailboxAuditLog did not have what I was looking for.

    Search-UnifiedAuditLog -StartDate "5/23/2023 2:00 PM" -EndDate "5/23/2023 9:05 PM" -UserIDs $ID -RecordType ExchangeAdmin

    Did provide the information I was looking for - once I adjusted to UTC in search query.

    It is unfortunate that there are needs of various tools to access the information rather than an efficient and centralized GUI, but it is what it is.

    Thank you all.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.