Action Configuration simplifies the entire process of extracting the required information from the event logs. It is a rule engine that defines Report Actions for each category of reports, parses the event log and pulls out the required information based on the input rules configured. These Report Actions are a collection of one or more "Rule Groups".
Sometimes referred as just Groups, is a set of filtering rules applied while extracting the data from various sources. An action (Report Action) can be associated with multiple "Rule Groups". An Action is satisfied when any of the Rule Groups is satisfied.
Sometimes referred as just Rules are individual conditions which the data from various data sources are evaluated against. A set of filter rules with logical operations to link them makes a Group.
The combination of filter rules and logical operations is called a Criteria. The Criteria for the Rule Groups should be satisfied in order to satisfy the Rule Groups.
The various categories with the pre-configured Report Actions include the following:
The relationship between the categories and the source of data for the categories is displayed in the table below
Category | Data Source |
---|---|
Mailbox Logon Category | Exchange Server Event Logs |
Mailbox Permissions Changes Category | Domain Controller Event Logs |
Mailbox Properties Changes Category | Domain Controller Event Logs |
Exchange Database Changes Category | Domain Controller Event Logs and Exchange Server Event Logs |
DAG Auditing Category | Exchange Server Event Logs |
Mailbox Audit Logging Category | Mailbox Audit Logs |
Send and Receive Connector Category | Domain Controller Event Logs |
Hub Transport Settings Category | Domain Controller Event Logs |
Admin Audit Log Category | Admin Audit Logs |
Advanced Mailbox Audit Logging Category | Mailbox Audit Logs |
Mailbox Folder Permission Changes Category | Admin Audit Logs |
Public Folder Permission Changes Category | Admin Audit Logs |
Distribution List Auditing Category | Domain Controller Event Logs |
Distribution List Members Auditing Category | Domain Controller Event Logs |
The pre-configured Report Actions for Mailbox Logon Category include the following:
Report Actions | Description |
---|---|
Self Logon Events | This Report Action extracts the mailbox self-logon data from the logs based on the rules configured. |
Non Owner Logon Events | This Report Action is configured to get data on non-owner users who gained access to the other user mailboxes. |
Steps to configure a new Mailbox Logon Action
The Action you just created can be used while creating a new audit report.
Steps to create a new audit report
The Report Actions under Mailbox Permission Changes Category include the following:
Report Actions | Description |
---|---|
Mailbox Permission Modified 2003 | This Report Action extracts the mailbox self-logon data from the logs based on the rules configured. |
Mailbox Permission Modified 2008 | This Report Action is configured to get data on non-owners who gained access to the other user mailboxes. |
Mailbox Send As Permission Change | This Report Action can be configured for getting data on users who modified the mailbox Send As permission. |
To configure a new Mailbox Permission Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions under Mailbox Property Changes category that are pre-configured include the following:
Report Actions | Description |
---|---|
Mailbox Quota Modified 2003 | This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2003 environment. |
Mailbox Quota Modified 2008 | This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2008 environment. |
Message Size Restriction Change 2008 | This Report Action gets data on users who changed the mailbox size limits in Windows Server 2008 environment. |
Message Size Restriction Change 2003 | This Report Action gets data on users who changed the mailbox size limits in Windows Server 2003 environment. |
Mailbox Activated Action | This Report Action gets data on the mailboxes that were recently activated. |
Mailbox Deactivated Action | This Report Action lists the mailboxes that were recently deactivated. |
Mailbox Moved Action 03/07 | This Report Action lists the mailboxes that were recently moved from/to Windows Server environments 2003 and 2007. |
Mailbox Moved Action 2010 | This Report Action lists the mailboxes that were recently moved from/to Windows 2010 Server environments. |
To configure a new Mailbox Property Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
Mailbox Database Mounted | A Report Action to extract data about all the mailbox stores that were mounted with the timestamp details. |
Mailbox Database Dismounted | A Report Action to extract data about all the mailbox stores that were dismounted with the timestamp details. |
Public Folder Database Mounted | A Report Action to extract data about all the public stores that were mounted with the timestamp details. |
Public Folder Database Dismounted | A Report Action to extract data about all the public stores that were dismounted with the timestamp details. |
Circular Logging 2008 | A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2008 environment and higher. |
Circular Logging 2003 | A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2003 environment. |
To configure a new Exchange Store Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
DAG Failover | A report action to display DAG Failover information associated with Event ID 306 |
To configure a new DAG Auditing action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description | Cmdlet(s) Used |
---|---|---|
Admin Access Audit | A report action to audit an admin's activity in user mailbox. | Search-MailboxAuditLog LogonTypes Admin |
Delegate Access Audit | A report action to audit any delegate's activity in user mailbox | Search-MailboxAuditLog LogonTypes Delegate |
Non Owner Access Audit | A report action to audit both admin's and delegate's activity in user mailbox | Search-MailboxAuditLog LogonTypes Delegate,Admin |
Owner Access Audit | A report action to audit the owner's activity on a mailbox. | Search-MailboxAuditLog LogonTypes Owner |
To configure a new Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
Send/Receive Connector Created/Removed | A report action to audit the creation and removal of Send and Receive Connectors |
Send/Receive Connector Enable/Disable 2008 | A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2008 environment |
Send/Receive Connector Enable/Disable 2003 | A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2003 environment |
Send Connector Changes 2008 | A report action to audit the changes made to Send Connector in Windows Server 2008 environment. |
Receive Connector Changes 2008 | A report action to audit the changes made to Receive Connector in Windows Server 2008 environment. |
Send Connector Changes 2003 | A report action to audit the changes made to Send Connector in Windows Server 2003 environment. |
Receive Connector Changes 2003 | A report action to audit the changes made to Receive Connector in Windows Server 2003 environment. |
To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
Hub Transport Settings 2008 | A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008 |
Hub Transport Settings 2003 | A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008 |
To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description | Cmdlet(s) Used |
---|---|---|
Mailbox Permission Changes | A report action to audit the changes made to mailbox permissions. |
Add-MailboxPermission Remove-MailboxPermission Add-ADPermission Remove-ADPermission |
Mailbox Storage Quota Changes | A report action to audit the changes made to storage quotas of mailboxes. | Set-Mailbox |
Mailbox Move Request | A report action to audit the mailboxes that were moved. | Update-MovedMailbox |
Mailbox Create/Delete | A report action to audit the creation and deletion of mailboxes in the organization. |
New-Mailbox Remove-Mailbox Enable-Mailbox |
Send and Receive Connector Changes | A report action to audit the changes made to Send and Receive Connectors in the organization. |
New-SendConnector Set-SendConnector Remove-SendConnector New-ReceiveConnector Set-ReceiveConnector Remove-ReceiveConnector |
Circular Logging Changes | A report action to audit the changes made to the circular logging setting of the databases. | Set-MailboxDatabase |
Hub Transport Settings Changes | A report action to audit the changes made to hub transport settings in the organization. |
Set-TransportConfig Set-TransportServer |
Cmdlets Summary | A report action to audit the active cmdlets that run within the Exchange Server. | Add-ADPermission |
To configure a new Admin Audit Log Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description | Cmdlet(s) Used |
---|---|---|
Mails Deleted | A report action to audit the mails deleted by users. | Search-MailboxAuditLog Operations: HardDelete, SoftDelete, MoveToDeletedItems |
Mails Moved | A report action to audit the mails moved by users. | Search-MailboxAuditLog Operations: Move |
To configure a new Advanced Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description | Cmdlet(s) Used |
---|---|---|
Mailbox Folder Permission Changes | A report action to audit the modified mailbox folder permissions. |
Add-MailboxFolderPermission Remove-MailboxFolderPermission Set-MailboxFolderPermission |
To configure a new Mailbox Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description | Cmdlet(s) Used |
---|---|---|
Public Folder Permission Changes | A report action to audit the changes made to public folders |
Add-PublicFolderAdministrativePermission Remove-PublicFolderAdministrativePermission Remove-PublicFolderClientPermission Add-PublicFolderClientPermission |
To configure a new Public Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
Distribution List Created and Deleted | A report action to audit the creation/removal of a security-disabled (local/global/universal) group (Distribution List). |
To configure a new Distribution List Auditing Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.
The Report Actions configured under this category include the following:
Report Actions | Description |
---|---|
Distribution List Member Added and Removed | A report action to audit the addition/removal of security-disabled (local/global/universal) group (Distribution List) members.. |
Copyright © 2024, ZOHO Corp. All Rights Reserved.