Action Configuration

Action Configuration simplifies the entire process of extracting the required information from the event logs. It is a rule engine that defines Report Actions for each category of reports, parses the event log and pulls out the required information based on the input rules configured. These Report Actions are a collection of one or more "Rule Groups".

Rule Groups

Sometimes referred as just Groups, is a set of filtering rules applied while extracting the data from various sources. An action (Report Action) can be associated with multiple "Rule Groups". An Action is satisfied when any of the Rule Groups is satisfied.

Filter Rules

Sometimes referred as just Rules are individual conditions which the data from various data sources are evaluated against. A set of filter rules with logical operations to link them makes a Group.

The combination of filter rules and logical operations is called a Criteria. The Criteria for the Rule Groups should be satisfied in order to satisfy the Rule Groups.

The various categories with the pre-configured Report Actions include the following:

Source of Data

The relationship between the categories and the source of data for the categories is displayed in the table below

Category Data Source
Mailbox Logon Category Exchange Server Event Logs
Mailbox Permissions Changes Category Domain Controller Event Logs
Mailbox Properties Changes Category Domain Controller Event Logs
Exchange Database Changes Category Domain Controller Event Logs and Exchange Server Event Logs
DAG Auditing Category Exchange Server Event Logs
Mailbox Audit Logging Category Mailbox Audit Logs
Send and Receive Connector Category Domain Controller Event Logs
Hub Transport Settings Category Domain Controller Event Logs
Admin Audit Log Category Admin Audit Logs
Advanced Mailbox Audit Logging Category Mailbox Audit Logs
Mailbox Folder Permission Changes Category Admin Audit Logs
Public Folder Permission Changes Category Admin Audit Logs
Distribution List Auditing Category Domain Controller Event Logs
Distribution List Members Auditing Category Domain Controller Event Logs

Mailbox Logon Category

The pre-configured Report Actions for Mailbox Logon Category include the following:

Report Actions Description
Self Logon Events This Report Action extracts the mailbox self-logon data from the logs based on the rules configured.
Non Owner Logon Events This Report Action is configured to get data on non-owner users who gained access to the other user mailboxes.

Steps to configure a new Mailbox Logon Action

  1. Go to the Auditing tab.
  2. Click on the Report Configuration option found at the bottom left corner.
  3. Choose the Action Configuration option.
  4. Select the category for which you need to configure an action. In this case choose Mailbox Audit Logging.
  5. Now, click on Add New Mailbox Audit Logging. Usually the button name will be, Add New <category you chose>
  6. Provide a name and an optional description for the action. For example, Risky logons
  7. Provide a name for the Rule Group by clicking on the icon adjacent to Group Name.
  8. A Rule Group is a collection of filter rules. Specify the filter rules. The filter rules can be created with the help of the listed variables that differ based on the category. The filter rules of a group are combined based on the logical operators: AND and OR.
  9. You can also add more than one Rule Group for an action using the Add Rule Group option.
  10. Save the configured action.

The Action you just created can be used while creating a new audit report.

Steps to create a new audit report

  1. Go to the Auditing tab.
  2. Click on the Report Configuration option found at the bottom left corner.
  3. Choose the Add New Report option.
  4. Provide a name for the report.
  5. Choose the category under which you had created the action previously. Mailbox Audit Logging Reports in this case.
  6. From the Action drop-down, select the Action created by you. (Risky logons)
  7. Choose the Target Mailbox and Caller Username.
  8. Click on Save.
  9. You will now see the report you had created listed in the Report Configuration page.
  10. Click on the Configure option under the Schedule column to schedule this report to be generated at regular intervals.
  11. This report can be viewed under the Auditing tab. (Under the Mailbox Audit Logging category)

Mailbox Permissions Changes Category

The Report Actions under Mailbox Permission Changes Category include the following:

Report Actions Description
Mailbox Permission Modified 2003 This Report Action extracts the mailbox self-logon data from the logs based on the rules configured.
Mailbox Permission Modified 2008 This Report Action is configured to get data on non-owners who gained access to the other user mailboxes.
Mailbox Send As Permission Change This Report Action can be configured for getting data on users who modified the mailbox Send As permission.

To configure a new Mailbox Permission Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Properties Changes Category

The Report Actions under Mailbox Property Changes category that are pre-configured include the following:

Report Actions Description
Mailbox Quota Modified 2003 This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2003 environment.
Mailbox Quota Modified 2008 This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2008 environment.
Message Size Restriction Change 2008 This Report Action gets data on users who changed the mailbox size limits in Windows Server 2008 environment.
Message Size Restriction Change 2003 This Report Action gets data on users who changed the mailbox size limits in Windows Server 2003 environment.
Mailbox Activated Action This Report Action gets data on the mailboxes that were recently activated.
Mailbox Deactivated Action This Report Action lists the mailboxes that were recently deactivated.
Mailbox Moved Action 03/07 This Report Action lists the mailboxes that were recently moved from/to Windows Server environments 2003 and 2007.
Mailbox Moved Action 2010 This Report Action lists the mailboxes that were recently moved from/to Windows 2010 Server environments.

To configure a new Mailbox Property Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Exchange Database Changes Category

The Report Actions configured under this category include the following:

Report Actions Description
Mailbox Database Mounted A Report Action to extract data about all the mailbox stores that were mounted with the timestamp details.
Mailbox Database Dismounted A Report Action to extract data about all the mailbox stores that were dismounted with the timestamp details.
Public Folder Database Mounted A Report Action to extract data about all the public stores that were mounted with the timestamp details.
Public Folder Database Dismounted A Report Action to extract data about all the public stores that were dismounted with the timestamp details.
Circular Logging 2008 A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2008 environment and higher.
Circular Logging 2003 A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2003 environment.

To configure a new Exchange Store Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

DAG Auditing Category

The Report Actions configured under this category include the following:

Report Actions Description
DAG Failover A report action to display DAG Failover information associated with Event ID 306

To configure a new DAG Auditing action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Audit Logging Category

The Report Actions configured under this category include the following:

Report Actions Description Cmdlet(s) Used
Admin Access Audit A report action to audit an admin's activity in user mailbox. Search-MailboxAuditLog LogonTypes Admin
Delegate Access Audit A report action to audit any delegate's activity in user mailbox Search-MailboxAuditLog LogonTypes Delegate
Non Owner Access Audit A report action to audit both admin's and delegate's activity in user mailbox Search-MailboxAuditLog LogonTypes Delegate,Admin
Owner Access Audit A report action to audit the owner's activity on a mailbox. Search-MailboxAuditLog LogonTypes Owner

To configure a new Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Send and Receive Connector

The Report Actions configured under this category include the following:

Report Actions Description
Send/Receive Connector Created/Removed A report action to audit the creation and removal of Send and Receive Connectors
Send/Receive Connector Enable/Disable 2008 A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2008 environment
Send/Receive Connector Enable/Disable 2003 A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2003 environment
Send Connector Changes 2008 A report action to audit the changes made to Send Connector in Windows Server 2008 environment.
Receive Connector Changes 2008 A report action to audit the changes made to Receive Connector in Windows Server 2008 environment.
Send Connector Changes 2003 A report action to audit the changes made to Send Connector in Windows Server 2003 environment.
Receive Connector Changes 2003 A report action to audit the changes made to Receive Connector in Windows Server 2003 environment.

To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Hub Transport Settings Category

The Report Actions configured under this category include the following:

Report Actions Description
Hub Transport Settings 2008 A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008
Hub Transport Settings 2003 A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008

To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Admin Audit Log Category

The Report Actions configured under this category include the following:

Report Actions Description Cmdlet(s) Used
Mailbox Permission Changes A report action to audit the changes made to mailbox permissions.

Add-MailboxPermission

Remove-MailboxPermission

Add-ADPermission

Remove-ADPermission

Mailbox Storage Quota Changes A report action to audit the changes made to storage quotas of mailboxes. Set-Mailbox
Mailbox Move Request A report action to audit the mailboxes that were moved. Update-MovedMailbox
Mailbox Create/Delete A report action to audit the creation and deletion of mailboxes in the organization.

New-Mailbox

Remove-Mailbox

Enable-Mailbox

Send and Receive Connector Changes A report action to audit the changes made to Send and Receive Connectors in the organization.

New-SendConnector

Set-SendConnector

Remove-SendConnector New-ReceiveConnector

Set-ReceiveConnector

Remove-ReceiveConnector

Circular Logging Changes A report action to audit the changes made to the circular logging setting of the databases. Set-MailboxDatabase
Hub Transport Settings Changes A report action to audit the changes made to hub transport settings in the organization.

Set-TransportConfig

Set-TransportServer

Cmdlets Summary A report action to audit the active cmdlets that run within the Exchange Server. Add-ADPermission

To configure a new Admin Audit Log Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Advanced Mailbox Audit Logging Category

The Report Actions configured under this category include the following:

Report Actions Description Cmdlet(s) Used
Mails Deleted A report action to audit the mails deleted by users. Search-MailboxAuditLog Operations: HardDelete, SoftDelete, MoveToDeletedItems
Mails Moved A report action to audit the mails moved by users. Search-MailboxAuditLog Operations: Move

To configure a new Advanced Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Folder Permission Changes Category

The Report Actions configured under this category include the following:

Report Actions Description Cmdlet(s) Used
Mailbox Folder Permission Changes A report action to audit the modified mailbox folder permissions.

Add-MailboxFolderPermission

Remove-MailboxFolderPermission

Set-MailboxFolderPermission

To configure a new Mailbox Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Public Folder Permission Changes Category

The Report Actions configured under this category include the following:

Report Actions Description Cmdlet(s) Used
Public Folder Permission Changes A report action to audit the changes made to public folders

Add-PublicFolderAdministrativePermission

Remove-PublicFolderAdministrativePermission

Remove-PublicFolderClientPermission

Add-PublicFolderClientPermission

To configure a new Public Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Distribution List Auditing Category

The Report Actions configured under this category include the following:

Report Actions Description
Distribution List Created and Deleted A report action to audit the creation/removal of a security-disabled (local/global/universal) group (Distribution List).

To configure a new Distribution List Auditing Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Distribution List Members Auditing Category

The Report Actions configured under this category include the following:

Report Actions Description
Distribution List Member Added and Removed A report action to audit the addition/removal of security-disabled (local/global/universal) group (Distribution List) members..

Copyright © 2024, ZOHO Corp. All Rights Reserved.