Office 365: Enable Mailbox Audit
In a hybrid setup, once after the mailboxes are moved to the cloud the mailbox audit will be enabled after they are converted to mailboxes from mail enabled users.
Earlier we have to run the Set-Mailbox -AuditEnabled $True every time we add a new mailbox or a mailbox is migrated to the cloud so that mailbox Audit is turned on.
Once the mailbox audit logging is enabled for owner actions we might see lots of items getting occupied for user actions in audit folder. This Audit logs is stored individually on users mailboxes itself in Hidden audit folder.
Get-MailboxFolderStatistics -Identity Helpdesk@exchangequery.com | select name,itemsinfolder,foldersize
https://exchangequery.files.wordpress.com/2018/11/untitled12.png?w=600
This audit folder will not come under the user mailbox quota. It will consume the recoverable items quota for each user mailbox. In order to overcome this mailbox quota limit for these recoverable items the storage quota for the recoverable items folder is automatically increased from 30 GB to 100 GB when a hold is placed on a mailbox in Exchange Online.
https://exchangequery.files.wordpress.com/2018/11/untitled7.png?w=600
Without hold the default value will be 30 GB
https://exchangequery.files.wordpress.com/2018/11/untitled21.png?w=600
We can also see that the audit will be enabled by default in the organizational config.
https://exchangequery.files.wordpress.com/2018/11/untitled31.png?w=600
To enable audit org level – Set-OrganizationConfig -AuditDisabled $false
To disable audit orglevel – Set-OrganizationConfig -AuditDisabled $True
we can see the audit is enabled by default
Get-Mailbox helpdesk | fl *audit*
https://exchangequery.files.wordpress.com/2018/11/untitled42.png?w=600
For AuditOwner we can see the below
Get-Mailbox helpdesk | Select-Object -ExpandProperty auditowner
We can see the mailbox login which will record the client logins for the owner actions inclusive of protocols POP and IMAP. Apart from this we have for inbox rules and calendar delegation which will be definitely useful in terms of troubleshooting or investigation of an compromised account.
https://exchangequery.files.wordpress.com/2018/11/untitled52.png?w=600
When your tenancy begins auditing all mailboxes by default, the per-mailbox AuditEnabled setting will be overridden. However, you may still choose to disable audits for a subset of your users if there is a business need. You can elect this option by configuring audit bypass associations on the identities you intend to ignore with the Set-MailboxAuditBypassAssociation cmdlet. We can also customize the audit logging entries based on our requirement using set-mailbox and -AuditOwner option.
Below command will bypass audit for the specified mailbox.
Get-Mailbox usteam | Set-MailboxAuditBypassAssociation -AuditBypassEnabled $true
https://exchangequery.files.wordpress.com/2018/11/untitled61.png?w=600
We can run a audit report from the security and compliance center to generate audit report during an investigation. We have export operation as well.
https://exchangequery.files.wordpress.com/2018/11/untitled71.png?w=600
More filter options are available
https://exchangequery.files.wordpress.com/2018/11/untitled81.png?w=600
Based on the monitored mailbox audit actions we can also create an alert and notify the information security team mailbox/group for these actions which are not meeting the organization compliance.
https://exchangequery.files.wordpress.com/2018/11/untitled91.png?w=600https://exchangequery.files.wordpress.com/2018/11/untitled10.png?w=600
Over the next several months, Microsoft will enable the default-auditing configuration on all tenants with a steady ramp-up with all commercial customers to be covered by the end of the calendar year. So we can expect this to be covered for all tenants by the end of this calendar year.
Mailbox audits will be stored for all user mailboxes within the commercial service by default.
The default audit configuration will change and include more audit events.