Configuring Exchange Online Activity Monitoring
Note
Verify auditing is enabled which was listed in the prerequisites.
Activity Monitoring gathers events from applications to help control and audit resource access.
Activity Monitoring is disabled by default. To enable it, set the Allow Activity Monitoring toggle to on.
Setting the Data Retention Period
Setting a data retention period allows the user to specify how long activities will be stored offline. Activities are available on the Activity Forensics screen for a default of 12 months. After the initial 12 months, the activity data is retained and available via a support ticket. You can set a retention period from between 1 month and 7 years. After the retention period is met, all activities will be deleted.
Example: If the data retention period in the application configuration is set to 18 months, the activities will be available in Data Access Security for the initial 12 months and then available by a support ticket for the 18 additional months, making it a total of 30 months.
Activity Exclusions
Note
Activity Monitoring exclusions need to be manually added.
Allows administrators to configure activities which are not desired to reduce unnecessary noise of activity data set. Activities which match exclusions will be discarded so they will not display in forensics or be held in any storage.
To add an exclusion:
- Type an exclusion into the relevant dropdown list (file extension, user, folder, actions).
- Select the + icon to add it to the list.
- Select to Next or Cancel to close the panel once the list is complete.
To edit or remove an exclusion from the list:
- Select the appropriate dropdown list.
- On the desired extension that needs to be edited or removed, select either the edit or delete icon.
- Select to Next or Cancel to close the panel.
- Click Clear Selection to clear the entire list.
Excluded File Extensions - List of file extensions that are not monitored, e.g., txt, exe. Enter one value at a time as described above.
Exclude Folders - List of folders that are not monitored, e.g., \servername\share1\folder1. Enter one value at a time as described above.
Exclude Users - List of users whose activities are not monitored, e.g., user1, domain\user2, user3@domain.com. Enter one value at a time as described above.
The user format to be used depends on how the activity is logged by the endpoint. If you are not sure which of the user formats above to use, either specify all of them, or leave the list empty for now, navigate to the Forensics > Activities screen in the File Access Manager Website after some activities flow in to see how the user is depicted in them and use that depiction in the exclusion list.
Exclude Actions - List of actions that are not monitored. e.g., copy file.
Supported Event Types
Owner
Event | Out-of-the-Box | Add-Ons |
---|---|---|
AddFolerPermission | ✓ | |
ApplyRecord | ✓ | |
Create | ✓ | |
HardDelete | ✓ | |
MailboxLogin | ✓ | |
MailItemsAccessed | ✓ | |
ModifyFolderPermissions | ✓ | |
Move | ✓ | |
MoveToDeletedItems | ✓ | |
RecordDelete | ✓ | |
RemoveFolderPermissions | ✓ | |
SoftDelete | ✓ | |
Update | ✓ | |
UpdateFolderPermissions | ✓ | |
UpdateCalendarDelegation | ✓ | |
UpdateInboxRules | ✓ |
Delegate
Event | Out-of-the-Box | Add-Ons |
---|---|---|
AddFolerPermission | ✓ | |
ApplyRecord | ✓ | |
Create | ✓ | |
FolderBind | ✓ | |
HardDelete | ✓ | |
MailItemsAccessed | ✓ | |
ModifyFolderPermissions | ✓ | |
Move | ✓ | |
MoveToDeletedItems | ✓ | |
RecordDelete | ✓ | |
RemoveFolderPermissions | ✓ | |
SendAs | ✓ | |
SendOnBehalf | ✓ | |
SoftDelete | ✓ | |
Update | ✓ | |
UpdateFolderPermissions | ✓ | |
UpdateInboxRules | ✓ |
Admin
Event | Out-of-the-Box | Add-Ons |
---|---|---|
AddFolerPermission | ✓ | |
ApplyRecord | ✓ | |
Copy | ✓ | |
Create | ✓ | |
FolderBind | ✓ | |
HardDelete | ✓ | |
MailItemsAccessed | ✓ | |
ModifyFolderPermissions | ✓ | |
Move | ✓ | |
MoveToDeletedItems | ✓ | |
RecordDelete | ✓ | |
RemoveFolderPermissions | ✓ | |
SendAs | ✓ | |
SendOnBehalf | ✓ | |
SoftDelete | ✓ | |
Update | ✓ | |
UpdateFolderPermissions | ✓ | |
UpdateCalendarDelegation | ✓ | |
UpdateInboxRules | ✓ |
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.