Connector Overview
Monitoring Microsoft Exchange On-Premises is based on standard Microsoft Exchange monitoring capabilities. Access to Exchange On-Premises is based on Remote Power Shell capabilities.
Audit types include:
Mailbox Access Audit
- Administrators who access other users’ mailboxes
- Users who access other users’ mailboxes as delegates
- Owners who access their own mailbox
Administrator Audit PowerShell Cmdlets - Every Set-* PowerShell is audited
Important
It is not recommended to enable Owner auditing on all mailboxes, due to Exchange overload and DB size.
Capabilities
This connector enables you to use File Access Manager to access and analyze data stored in Exchange and do the following:
- Analyze the structure of your stored data.
- Monitor user activity in the resources.
- Classify the data being stored.
- Verify user permissions on the resources, and compare them against requirements.
- Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
- Identity collector – collect IAM users, groups and roles and the connections between them.
Exchange Installation Flow Overview
To install the Exchange connector:
- Configure all the prerequisites.
- Add a new Exchange application in the Business Website.
-
Install the relevant services:
- Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.
- Permissions CollectorIf you are using EC2 login, the collector should be installed on the EC2 instance.
- Data Classification Collector.
Important
Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.
Permissions Collection Operation Principle
The File Access Manager Connector connects using the PowerShell interface and analyzes mailboxes, folders, public folders, and their permissions.
Mailbox Audit
- Mailbox audit events are assigned to the relevant mailbox business resource.
- The list of monitored mailbox types can be found in the
BAMFramework.exe.configfile under therecipientTypeDetailsToMonitorsetting.
By default, the following types are defined and monitored:
- UserMailbox
- SharedMailbox
Note
Additional mailbox types can be added to this list, for reference follow this link.
Monitored Activities
| Action | Description | Admin | Delegate | Owner |
|---|---|---|---|---|
| Copy | An item is copied to another folder. | Yes | Yes | No |
| Create | An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited.Yes | Yes | Yes | |
| FolderBind | A mailbox folder is accessed.Yes | Yes | No | |
| HardDelete | An item is deleted permanently from the Recoverable Items folder. | Yes | Yes | Yes |
| MessageBind | An item is accessed in the reading pane or opened. | Yes | No | No |
| Move | An item is moved to another folder. | Yes | Yes | Yes |
| MoveToDeletedItems | An item is moved to the Deleted Items folder. | Yes | Yes | Yes |
| SendAs | A message is sent using Send As permissions. | Yes | Yes | N/A |
| SendOnBehalf | A message is sent using Send on Behalf permissions. | Yes | Yes | N/A |
| SoftDelete | An item is deleted from the Deleted Items folder. | Yes | Yes | Yes |
| Update | An item's properties are updated. | Yes | Yes | Yes |
Exclusion of Specific Mailboxes from Auditing
Specific mailboxes can be excluded from Auditing by setting a configurable key in the Application Monitor app.config file.
To exclude mailboxes, set the mailboxAuditExcludeByFilter under the AppSetting tag with a regular expression that matches only the names of the mailboxes to be excluded.
Use this setting to exclude a relatively small number of mailboxes from Auditing, when in Full Learning mode. The No Learning mode configuration is preferable if many mailboxes are excluded from auditing.
Example
Journal mailboxes monitor and register every Exchange Server event, which doubles the number of generated events. Use this feature to exclude them.
After all mailboxes have been fetched from the Exchange server, the system applies a filter on the returned result set to filter out excluded mailboxes. All other mailboxes will be audited, subject to the setting defined.
Note
The defined setting only affects the mailbox Audit and does not affect Admin Audit events.
By default, the system removes all Audit settings from all monitored mailboxes (including those excluded by the Exclude Audit by Filter operation) when the Application monitor service stops running. This prevents unnecessary Audit settings from remaining after other changes have been made to the Application Monitor configuration over time.
Admin Audit Events (Administrator Audit Logging)
File Access Manager features the following Admin audit events:
- General Admin audit events are assigned to a special resource (Audit Admin).
-
Admin audit events that relate to a specific mailbox are assigned to the mailbox business resource.
- The list of commands can be found in the framework configuration file in the
mailboxAuditLogCmdLetssetting.
For Exchange: The config file is WBX.Exchange2010BAMHost.dll.config.
For Exchange Online it is WBX.ExchangeOnlineBAMHost.dll.config
-
By default, the following are defined as mailbox commands:
-
Remove-Mailbox
- New-Mailbox
- Set-Mailbox
- Add-MailboxPermission
- Remove-MailboxPermission
- Set-MailboxAutoReplyConfiguration
- The list of commands can be found in the framework configuration file in the
-
Admin audit events related to a specific mailbox folder are assigned to the mailbox folder business resource.
- The list of commands can be found in the BAMFramework.exe.config file in the -
mailboxFolderAuditLogCmdLetssetting. -
By default, the following are defined as mailbox folder commands:
-
Add-MailboxFolderPermission
- Remove-MailboxFolderPermission
- Set-MailboxFolderPermission
- The list of commands can be found in the BAMFramework.exe.config file in the -
-
Admin audit events related to a specific public folder are assigned to the public folder business resource.
- The list of commands can be found in the BAMFramework.exe.config file in the
publicFolderAuditLogCmdLetssetting. -
By default, the following commands are defined as public folder commands:
-
Add-PublicFolderClientPermission
- Remove-PublicFolderClientPermission
- New-PublicFolder
- Remove-PublicFolder
- Add-PublicFolderAdministrativePermission
- Remove-PublicFolderAdministrativePermission
- The list of commands can be found in the BAMFramework.exe.config file in the