Skip to content

Connector Overview

Monitoring Microsoft Exchange On-Premises is based on standard Microsoft Exchange monitoring capabilities. Access to Exchange On-Premises is based on Remote Power Shell capabilities.

Audit types include:

Mailbox Access Audit

  • Administrators who access other users’ mailboxes
  • Users who access other users’ mailboxes as delegates
  • Owners who access their own mailbox

Administrator Audit PowerShell Cmdlets - Every Set-* PowerShell is audited

Important

It is not recommended to enable Owner auditing on all mailboxes, due to Exchange overload and DB size.

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in Exchange and do the following:

  • Analyze the structure of your stored data.
  • Monitor user activity in the resources.
  • Classify the data being stored.
  • Verify user permissions on the resources, and compare them against requirements.
  • Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
  • Identity collector – collect IAM users, groups and roles and the connections between them.

Exchange Installation Flow Overview

To install the Exchange connector:

  1. Configure all the prerequisites.
  2. Add a new Exchange application in the Business Website.
  3. Install the relevant services:

    • Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.
    • Permissions CollectorIf you are using EC2 login, the collector should be installed on the EC2 instance.
    • Data Classification Collector.

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.

Permissions Collection Operation Principle

The File Access Manager Connector connects using the PowerShell interface and analyzes mailboxes, folders, public folders, and their permissions.

Mailbox Audit

  1. Mailbox audit events are assigned to the relevant mailbox business resource.
  2. The list of monitored mailbox types can be found in the BAMFramework.exe.config file under the recipientTypeDetailsToMonitor setting.

By default, the following types are defined and monitored:

  • UserMailbox
  • SharedMailbox

Note

Additional mailbox types can be added to this list, for reference follow this link.

Monitored Activities

Action Description Admin Delegate Owner
Copy An item is copied to another folder. Yes Yes No
Create An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isn't audited.Yes Yes Yes
FolderBind A mailbox folder is accessed.Yes Yes No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes Yes Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes Yes Yes
SendAs A message is sent using Send As permissions. Yes Yes N/A
SendOnBehalf A message is sent using Send on Behalf permissions. Yes Yes N/A
SoftDelete An item is deleted from the Deleted Items folder. Yes Yes Yes
Update An item's properties are updated. Yes Yes Yes

Exclusion of Specific Mailboxes from Auditing

Specific mailboxes can be excluded from Auditing by setting a configurable key in the Application Monitor app.config file.

To exclude mailboxes, set the mailboxAuditExcludeByFilter under the AppSetting tag with a regular expression that matches only the names of the mailboxes to be excluded.

Use this setting to exclude a relatively small number of mailboxes from Auditing, when in Full Learning mode. The No Learning mode configuration is preferable if many mailboxes are excluded from auditing.

Example

Journal mailboxes monitor and register every Exchange Server event, which doubles the number of generated events. Use this feature to exclude them.

After all mailboxes have been fetched from the Exchange server, the system applies a filter on the returned result set to filter out excluded mailboxes. All other mailboxes will be audited, subject to the setting defined.

Note

The defined setting only affects the mailbox Audit and does not affect Admin Audit events.

By default, the system removes all Audit settings from all monitored mailboxes (including those excluded by the Exclude Audit by Filter operation) when the Application monitor service stops running. This prevents unnecessary Audit settings from remaining after other changes have been made to the Application Monitor configuration over time.

Admin Audit Events (Administrator Audit Logging)

File Access Manager features the following Admin audit events:

  1. General Admin audit events are assigned to a special resource (Audit Admin).
  2. Admin audit events that relate to a specific mailbox are assigned to the mailbox business resource.

    • The list of commands can be found in the framework configuration file in the mailboxAuditLogCmdLets setting.

    For Exchange: The config file is WBX.Exchange2010BAMHost.dll.config.

    For Exchange Online it is WBX.ExchangeOnlineBAMHost.dll.config

    • By default, the following are defined as mailbox commands:

    • Remove-Mailbox

    • New-Mailbox
    • Set-Mailbox
    • Add-MailboxPermission
    • Remove-MailboxPermission
    • Set-MailboxAutoReplyConfiguration
  3. Admin audit events related to a specific mailbox folder are assigned to the mailbox folder business resource.

    • The list of commands can be found in the BAMFramework.exe.config file in the - mailboxFolderAuditLogCmdLets setting.
    • By default, the following are defined as mailbox folder commands:

    • Add-MailboxFolderPermission

    • Remove-MailboxFolderPermission
    • Set-MailboxFolderPermission
  4. Admin audit events related to a specific public folder are assigned to the public folder business resource.

    • The list of commands can be found in the BAMFramework.exe.config file in the publicFolderAuditLogCmdLets setting.
    • By default, the following commands are defined as public folder commands:

    • Add-PublicFolderClientPermission

    • Remove-PublicFolderClientPermission
    • New-PublicFolder
    • Remove-PublicFolder
    • Add-PublicFolderAdministrativePermission
    • Remove-PublicFolderAdministrativePermission