Shulou(Shulou.com)06/02 Report--

In the enterprise, in addition to knowing and tracking the access that the administrator may have to the user's mailbox, you also need to track the settings and actions taken by the administrator in the mail organization in order to confirm that all behaviors are compliant. And ensure the stable and correct operation of the mail organization, and timely troubleshooting and repair in the event of misoperation or malicious operation. Provide reliable guidance and evidence for events that need to be held accountable.

Therefore, an administrator audit log is provided in Exchange Online to record changes made by administrators to the organization and recipient configuration. It can be used to track events caused by misoperations, determine the behavior of malicious actions, and verify that relevant actions meet compliance requirements.

1. Track the administrator's adjustment of the role of the user account

Typically, the administrator of a mail organization can grant certain administrative roles to users in the enterprise through their own permissions, so that the specified user can get administrative rights to respond. If this kind of operation is not authorized, it may bring great difficulties to the maintenance of the enterprise mail system and affect the stability of the normal operation of the mail system.

So how can we effectively find out which administrators have authorized which other users? This is particularly needed in terms of compliance and subsequent liability. Exchange Online provides consumers with a report on administrative role group changes, which shows the information records that administrators modify to members of administrative role groups in an organization.

Administrative role group change reports can be easily exported through Exchange Central Administration (EAC). Navigate to Compliance Management in EAC, select Audit on the right, and click run Administrator role Group report.

In the search for changes to Administrator role Group window that opens, specify the start and end dates for which you want to get the report, and you can also specify through a filter to retrieve authorization for a specific role group, if not, the authorization for all role groups is retrieved. Finally, click "search" and the role group change reports that meet the retrieval criteria will be listed below.

It is easy to see from the report which administrator granted which administrative role permissions to which user at what time.

Second, use the administrator audit log to track administrator operations

If you want to know more about the operation of the administrator, you can get it through the administrator audit log.

There are two ways to obtain the administrator audit log, one is to run the administrator audit log report and the other is to export the administrator audit log. For the run Administrator Audit Log report, you can view the configuration changes made by the organization administrator in the administrator audit log. "Export Administrator Audit Log" will export the log as a XML file, the same as the mailbox audit log, and Exchange Online will send the XML file as a mail attachment to the specified user's mailbox. Therefore, if the user uses OWA as the client, it must be enabled to allow OWA attachments. For more information, please see "how to get mailbox audit logs from 47 of EXO service in O365" (https://blog.51cto.com/liulike/2359471).

1. Confirm whether the administrator audit log feature is enabled.

In Exchange Online, the administrator audit log is enabled by default, and you can use Get-AdminAuditLogConfig to confirm whether this feature is actually enabled.

Get-AdminAuditLogConfig | Format-List AdminAuditLogEnabled

It should be noted that this feature cannot be turned off in Exchange Online, but it can be enabled or disabled through Set-AdminAuditLogConfig in Exchange Server, such as:

Set-AdminAuditLogConfig-AdminAuditLogEnabled $True

After confirming that the administrator audit log feature is enabled, you can view or export the administrator audit log.

2. View the administrator audit log

Navigate to Compliance Management in EAC, select Audit on the right, and click run Administrator Audit Log report.

In the search for configuration changes window, specify the start and end dates of the logs to retrieve, and if not defined, nearly 15 days of logs are filtered by default. Click "search" to search, and the results will be displayed below.

3. Export administrator audit log

Navigate to Compliance Management in EAC, select Audit on the right, and click Export Administrator Audit Log.

Specify the start and end dates of the log to be exported, and the specified user mailbox to which the exported XML file will be sent, and then click Export.

Exchange Online limits the size of the XML to no more than 10MB, so you should be as precise as possible when selecting a time range, with a default time range of the last 15 days. In addition, the log export of Exchange Online generally takes a long time, so it is impossible to receive an email immediately, usually within 24 hours, but it is also slower in practice, waiting for 48-72 hours or more.

Use PowerShell to query and export the administrator audit log

If you want to use some advanced or more precise filtering, you can use PowerShell to do so. For example, only 1000 entries are filtered by default, but use _ ResultSize_ in PowerShell to specify the number of entries that meet the criteria to return.

1. Query the administrator audit log

If you want to filter operation logs such as send and receive message size restrictions on mailboxes made by administrators in the system from March 7, 2019 to March 8, 2019. You can use Search-AdminAuditLog to do this.

Search-AdminAuditLog-Cmdlets Set-Mailbox-Parameters ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize-StartDate 03Universe 07Universe 2019-EndDate 03Universe 08Universe 2019

You can assign its return value to a variable, and you can view a specific log record by specifying the element ID that views the value of the array type.

$res = Search-AdminAuditLog-Cmdlets Set-Mailbox-Parameters ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize-StartDate 03Universe 07Universe 2019-EndDate 03Universe 08Universe 2019

$res [0]

You can view specific information through the properties of the log record.

$res [0] .CmdletParameters

2. Export the administrator audit log

You can create and export administrator audit logs through New-AdminAuditLogSearch.

New-AdminAuditLogSearch-Cmdlets Set-Mailbox-Parameters ProhibitSendQuota,ProhibitSendReceiveQuota,IssueWarningQuota,MaxSendSize,MaxReceiveSize-StartDate 03ax 07Mail limit Setting 2019-EndDate 03Universe 2019-StatusMailRecipients admin@lpwr.net-Name "Mail limit Setting 20190308"

Similarly, after the execution of this operation, Exchange Online will send the log entries that meet the filter criteria to the specified mailbox as an XML file attachment, which is also within 24 hours. So it takes a long time to wait, and the size of the XML file is limited to 10MB.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.