How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online
Transcript of How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online
Sponsored byHow to Audit Privileged Operations and Mailbox Access in Office 365
Exchange Online
© 2016 Monterey Technology Group Inc.
Thanks to
Made possible by
Preview of key points
Types of activity to audit in Exchange Online Message tracking Privileged access (admin) Non-owner Mailbox access
Using PowerShell to manage auditing in Exchange Online
Exchange Online
Run PowerShell as Admin Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUrihttps://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Message tracking
Message flow
Who is emailing who?
Get-MessageTrace
https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/message-trace-the-powershell-way/
http://o365info.com/performing-an-extended-message-trace-in-office-365/
Admin operations
Exporting mailboxes
Granting permissions
Setting up forwarding rules
Everything an admin does in Exchange is ultimately a PowerShell command
Exchange audit’s admin activity at the PowerShell level
Enable for entire organization with Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -
AdminAuditLogCmdlets * -AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
Admin operations
Log via PowerShell Interactive: Search-AdminAuditLog
Not details
Wait for email: New-AdminAuditLogSearch Limited in result size
Log via Portal Limited to pre-conceived search scenarios Limited in result size
Non-Owner Mailbox Auditing
When does Bob access Alice’s mailbox to View her email Send email as her Delete email
Track that with mailbox auditing
Must enable via PowerShell for each mailbox Set-Mailbox -Identity "John Smith" -AuditDelegate
SendAs,SendOnBehalf,MessageBind,FolderBind-AuditEnabled $true
Non-Owner Mailbox Auditing
Action Administrator Delegate Owner Copy • n/a n/a
Create • • •
FolderBind • • •
HardDelete • • •
MessageBind • n/a n/a
Move • • •MoveToDeletedItems
• • •
SendAs • • n/a
SendOnBehalf • • n/a
SoftDelete • • •
Update • • •
Non-Owner Mailbox Auditing
Don’t enable –AuditOwner
Don’t distinguish between –AuditDelegate and –AuditAdmin Always enable both Most things an admin does are logged as delegate
Bogus events being triggered by some automated process? Set-MailboxAuditBypassAssociation
Non-Owner Mailbox Auditing
How to get mailbox audit logs out?
This is complicated
Non-Owner Mailbox Auditing
How to get mailbox audit logs out?
Does not meet requirements Search-MailboxAuditLog
The old way New-SearchMailboxAuditLog
No longer works on Exchange 2016 or Exchange Online because of severe limitations
Examples
Non-Owner Mailbox Auditing
Portal Only useful for casual, targeted querying of recent activity Can’t search users
What does work? O365 Management Activity API Requires significant application programming Check out Quest Change Auditor coming up
Bottom line
Office 365 captures the audit data
If you have a specific case you want to research, you can probably find the activity using the online portal
If you want enterprise logging for compliance and security Long term archival Powerful, comprehensive search Alerting Correlation with other activity feeds
You need more than base functionality
Checkout Quest ChangeAuditor
© 2016 Monterey Technology Group Inc.
Change Auditor – Office 365 ExchangeBryan Patton, CISSP
Confidential16
Change Auditor
• Active Directory / LDS• Azure Active Directory• Active Directory Queries• Logon, Logoff, User Sessions
• Exchange• O365 Exchange Online• SQL Server• SharePoint• Skype for Business
• Windows File Servers• EMC Celerra, Isilon • NetApp• Dell Fluid File System
• Quest GPOADmin• Quest Active Roles• Quest Authentication
Services• Quest Defender
Object protection
Confidential17
• Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes
Change Auditor
WhoMade the change?
WhereWas the change made from?
WhatObject was changed?
WhenWas the change made?
WhyWas the change made (comment)?
WorkstationWhere the change originated from
Real-time smart alerts
to any device
Demonstration
Questions?
www.quest.com/change-auditor