Configuring Exchange Online Activity Monitoring
- Go to Admin > Applications.
- Scroll through the list or use the filter to find the application.
- Select the Edit icon
on the application row. -
Select Next until you reach the Activity Monitoring settings page.
Note
The entry fields vary by application type.
-
Toggle the Allow Activity Monitoring on.
Note
Verify auditing is enabled which was listed in the prerequisites.
Activity Exclusions
Note
Activity Monitoring exclusions need to be manually added.
Allows administrators to configure activities which are not desired to reduce unnecessary noise of activity data set. Activities which match exclusions will be discarded so they will not display in forensics or be held in any storage.
To add an exclusion:
- Type an exclusion into the relevant dropdown list (file extension, user, folder, actions).
- Select the + icon to add it to the list.
- Select to Next or Cancel to close the panel once the list is complete.
To edit or remove an exclusion from the list:
- Select the appropriate dropdown list.
- On the desired extension that needs to be edited or removed, select either the edit or delete icon.
- Select to Next or Cancel to close the panel.
- Click Clear Selection to clear the entire list.
Excluded File Extensions - List of file extensions that are not monitored, e.g., txt, exe. Enter one value at a time as described above.
Exclude Folders - List of folders that are not monitored, e.g., \servername\share1\folder1. Enter one value at a time as described above.
Exclude Users - List of users whose activities are not monitored, e.g., user1, domain\user2, user3@domain.com. Enter one value at a time as described above.
The user format to be used depends on how the activity is logged by the endpoint. If you are not sure which of the user formats above to use, either specify all of them, or leave the list empty for now, navigate to the Forensics > Activities screen in the File Access Manager Website after some activities flow in to see how the user is depicted in them and use that depiction in the exclusion list.
Exclude Actions - List of actions that are not monitored. e.g., copy file.
Scripts
The following Microsoft documentation provides further insight into Exchange Online events:
- Mailbox event
- Full "Set-Mailbox" documentation
- Exchange Online Powershell starting information
In order to execute exchange commands, you must first connect to Exchange Online using the following cmdlet:
The following script gets all mailboxes current auditing states:
"Get audit state for all mailboxes"
Get-EXOMailbox -ResultSize Unlimited -PropertySets Minimum,StatisticsSeed,Audit -RecipientTypeDetails UserMailbox,SharedMailbox | Select-Object Name,UserPrincipalName,AuditAdmin,AuditOwner,AuditDelegate | Foreach-Object {
"Mailbox: NAME: $($_.Name), UPN: $($_.UserPrincipalName)"
" AuditAdmin: $($_.AuditAdmin)"
" AuditOwner: $($_.AuditOwner)"
" AuditDelegate: $($_.AuditDelegate)"
""
}
The following script will enable auditing for all mailbox events for all user and shared mailboxes:
"Setting audit state for all mailboxes"
Get-EXOMailbox -ResultSize Unlimited -PropertySets Minimum,StatisticsSeed -RecipientTypeDetails UserMailbox,SharedMailbox `
| Select-Object Name,UserPrincipalName | Foreach-Object {
"Mailbox: NAME: $($_.Name), UPN: $($_.UserPrincipalName)"
Set-Mailbox -Identity "$($_.UserPrincipalName)" `
-AuditEnabled $true `
-AuditAdmin AddFolderPermissions,ApplyRecord,Copy,Create,FolderBind,HardDelete,ModifyFolderPermissions,Move,MoveToDeletedItems,RecordDelete,RemoveFolderPermissions,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions,UpdateCalendarDelegation,UpdateInboxRules,MailItemsAccessed `
-AuditDelegate AddFolderPermissions,ApplyRecord,Create,FolderBind,HardDelete,ModifyFolderPermissions,Move,MoveToDeletedItems,RecordDelete,RemoveFolderPermissions,SendAs,SendOnBehalf,SoftDelete,Update,UpdateFolderPermissions,UpdateInboxRules,MailItemsAccessed `
-AuditOwner AddFolderPermissions,ApplyRecord,Create,HardDelete,MailboxLogin,ModifyFolderPermissions,Move,MoveToDeletedItems,RecordDelete,RemoveFolderPermissions,SoftDelete,Update,UpdateFolderPermissions,UpdateCalendarDelegation,UpdateInboxRules,MailItemsAccessed
}
The following script will reset all mailboxes to use the default auditing configuration (default mailbox event types):
"Resetting default audit state for all mailboxes"
Get-EXOMailbox -ResultSize Unlimited -PropertySets Minimum,StatisticsSeed -RecipientTypeDetails UserMailbox,SharedMailbox | Select-Object Name,UserPrincipalName | Foreach-Object {
"Mailbox: NAME: $($_.Name), UPN: $($_.UserPrincipalName)"
Set-Mailbox -Identity "$($_.UserPrincipalName)" -DefaultAuditSet Admin,Delegate,Owner
}
Configuration for New Mailboxes
Newly created mailboxes will have the default Microsoft auditing configuration. If you are modifying the mailbox event types, then you will need to on-board new mailboxes in the same way.
Supported Event Types
Owner
| Event | Out-of-the-Box | Add-Ons |
|---|---|---|
| AddFolerPermission | ✓ | |
| ApplyRecord | ✓ | |
| Create | ✓ | |
| HardDelete | ✓ | |
| MailboxLogin | ✓ | |
| MailItemsAccessed | ✓ | |
| ModifyFolderPermissions | ✓ | |
| Move | ✓ | |
| MoveToDeletedItems | ✓ | |
| RecordDelete | ✓ | |
| RemoveFolderPermissions | ✓ | |
| SoftDelete | ✓ | |
| Update | ✓ | |
| UpdateFolderPermissions | ✓ | |
| UpdateCalendarDelegation | ✓ | |
| UpdateInboxRules | ✓ |
Delegate
| Event | Out-of-the-Box | Add-Ons |
|---|---|---|
| AddFolerPermission | ✓ | |
| ApplyRecord | ✓ | |
| Create | ✓ | |
| FolderBind | ✓ | |
| HardDelete | ✓ | |
| MailItemsAccessed | ✓ | |
| ModifyFolderPermissions | ✓ | |
| Move | ✓ | |
| MoveToDeletedItems | ✓ | |
| RecordDelete | ✓ | |
| RemoveFolderPermissions | ✓ | |
| SendAs | ✓ | |
| SendOnBehalf | ✓ | |
| SoftDelete | ✓ | |
| Update | ✓ | |
| UpdateFolderPermissions | ✓ | |
| UpdateInboxRules | ✓ |
Admin
| Event | Out-of-the-Box | Add-Ons |
|---|---|---|
| AddFolerPermission | ✓ | |
| ApplyRecord | ✓ | |
| Copy | ✓ | |
| Create | ✓ | |
| FolderBind | ✓ | |
| HardDelete | ✓ | |
| MailItemsAccessed | ✓ | |
| ModifyFolderPermissions | ✓ | |
| Move | ✓ | |
| MoveToDeletedItems | ✓ | |
| RecordDelete | ✓ | |
| RemoveFolderPermissions | ✓ | |
| SendAs | ✓ | |
| SendOnBehalf | ✓ | |
| SoftDelete | ✓ | |
| Update | ✓ | |
| UpdateFolderPermissions | ✓ | |
| UpdateCalendarDelegation | ✓ | |
| UpdateInboxRules | ✓ |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.