Action Configuration

Action Configuration simplifies the entire process of extracting the required information from the event logs. It is a rule engine that defines Report Actions for each category of reports, parses the event log and pulls out the required information based on the input rules configured. These Report Actions are a collection of one or more "Rule Groups".

Rule Groups

Sometimes referred as just Groups, is a set of filtering rules applied while extracting the data from various sources. An action (Report Action) can be associated with multiple "Rule Groups". An Action is satisfied when any of the Rule Groups is satisfied.

Filter Rules

Sometimes referred as just Rules are individual conditions which the data from various data sources are evaluated against. A set of filter rules with logical operations to link them makes a Group.

The combination of filter rules and logical operations is called a Criteria. The Criteria for the Rule Groups should be satisfied in order to satisfy the Rule Groups.

The various categories with the pre-configured Report Actions include the following:

Mailbox Logon Category
Mailbox Permissions Changes Category
Mailbox Properties Changes Category
Exchange Database Changes Category
DAG Auditing Category
Mailbox Audit Logging Category
Send and Receive Connector Category
Hub Transport Settings Category
Admin Audit Log Category
Advanced Mailbox Audit Logging Category
Mailbox Folder Permission Changes Category
Public Folder Permission Changes Category
Distribution List Auditing Category
Distribution List Members Auditing Category

Source of Data

The relationship between the categories and the source of data for the categories is displayed in the table below

Category	Data Source
Mailbox Logon Category	Exchange Server Event Logs
Mailbox Permissions Changes Category	Domain Controller Event Logs
Mailbox Properties Changes Category	Domain Controller Event Logs
Exchange Database Changes Category	Domain Controller Event Logs and Exchange Server Event Logs
DAG Auditing Category	Exchange Server Event Logs
Mailbox Audit Logging Category	Mailbox Audit Logs
Send and Receive Connector Category	Domain Controller Event Logs
Hub Transport Settings Category	Domain Controller Event Logs
Admin Audit Log Category	Admin Audit Logs
Advanced Mailbox Audit Logging Category	Mailbox Audit Logs
Mailbox Folder Permission Changes Category	Admin Audit Logs
Public Folder Permission Changes Category	Admin Audit Logs
Distribution List Auditing Category	Domain Controller Event Logs
Distribution List Members Auditing Category	Domain Controller Event Logs

Mailbox Logon Category

The pre-configured Report Actions for Mailbox Logon Category include the following:

Report Actions	Description
Self Logon Events	This Report Action extracts the mailbox self-logon data from the logs based on the rules configured.
Non Owner Logon Events	This Report Action is configured to get data on non-owner users who gained access to the other user mailboxes.

Steps to configure a new Mailbox Logon Action

Go to the Auditing tab.
Click on the Report Configuration option found at the bottom left corner.
Choose the Action Configuration option.
Select the category for which you need to configure an action. In this case choose Mailbox Audit Logging.
Now, click on Add New Mailbox Audit Logging. Usually the button name will be, Add New <category you chose>
Provide a name and an optional description for the action. For example, Risky logons
Provide a name for the Rule Group by clicking on the icon adjacent to Group Name.
A Rule Group is a collection of filter rules. Specify the filter rules. The filter rules can be created with the help of the listed variables that differ based on the category. The filter rules of a group are combined based on the logical operators: AND and OR.
You can also add more than one Rule Group for an action using the Add Rule Group option.
Save the configured action.

The Action you just created can be used while creating a new audit report.

Steps to create a new audit report

Go to the Auditing tab.
Click on the Report Configuration option found at the bottom left corner.
Choose the Add New Report option.
Provide a name for the report.
Choose the category under which you had created the action previously. Mailbox Audit Logging Reports in this case.
From the Action drop-down, select the Action created by you. (Risky logons)
Choose the Target Mailbox and Caller Username.
Click on Save.
You will now see the report you had created listed in the Report Configuration page.
Click on the Configure option under the Schedule column to schedule this report to be generated at regular intervals.
This report can be viewed under the Auditing tab. (Under the Mailbox Audit Logging category)

Mailbox Permissions Changes Category

The Report Actions under Mailbox Permission Changes Category include the following:

Report Actions	Description
Mailbox Permission Modified 2003	This Report Action extracts the mailbox self-logon data from the logs based on the rules configured.
Mailbox Permission Modified 2008	This Report Action is configured to get data on non-owners who gained access to the other user mailboxes.
Mailbox Send As Permission Change	This Report Action can be configured for getting data on users who modified the mailbox Send As permission.

To configure a new Mailbox Permission Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Properties Changes Category

The Report Actions under Mailbox Property Changes category that are pre-configured include the following:

Report Actions	Description
Mailbox Quota Modified 2003	This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2003 environment.
Mailbox Quota Modified 2008	This Report Action gets data on users who changed the mailbox quota limits in Windows Server 2008 environment.
Message Size Restriction Change 2008	This Report Action gets data on users who changed the mailbox size limits in Windows Server 2008 environment.
Message Size Restriction Change 2003	This Report Action gets data on users who changed the mailbox size limits in Windows Server 2003 environment.
Mailbox Activated Action	This Report Action gets data on the mailboxes that were recently activated.
Mailbox Deactivated Action	This Report Action lists the mailboxes that were recently deactivated.
Mailbox Moved Action 03/07	This Report Action lists the mailboxes that were recently moved from/to Windows Server environments 2003 and 2007.
Mailbox Moved Action 2010	This Report Action lists the mailboxes that were recently moved from/to Windows 2010 Server environments.

To configure a new Mailbox Property Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Exchange Database Changes Category

The Report Actions configured under this category include the following:

Report Actions	Description
Mailbox Database Mounted	A Report Action to extract data about all the mailbox stores that were mounted with the timestamp details.
Mailbox Database Dismounted	A Report Action to extract data about all the mailbox stores that were dismounted with the timestamp details.
Public Folder Database Mounted	A Report Action to extract data about all the public stores that were mounted with the timestamp details.
Public Folder Database Dismounted	A Report Action to extract data about all the public stores that were dismounted with the timestamp details.
Circular Logging 2008	A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2008 environment and higher.
Circular Logging 2003	A Report Action to display the activation/ deactivation changes made to circular logging in Exchange databases in Windows Server 2003 environment.

To configure a new Exchange Store Changes action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

DAG Auditing Category

The Report Actions configured under this category include the following:

Report Actions	Description
DAG Failover	A report action to display DAG Failover information associated with Event ID 306

To configure a new DAG Auditing action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Audit Logging Category

The Report Actions configured under this category include the following:

Report Actions	Description	Cmdlet(s) Used
Admin Access Audit	A report action to audit an admin's activity in user mailbox.	Search-MailboxAuditLog LogonTypes Admin
Delegate Access Audit	A report action to audit any delegate's activity in user mailbox	Search-MailboxAuditLog LogonTypes Delegate
Non Owner Access Audit	A report action to audit both admin's and delegate's activity in user mailbox	Search-MailboxAuditLog LogonTypes Delegate,Admin
Owner Access Audit	A report action to audit the owner's activity on a mailbox.	Search-MailboxAuditLog LogonTypes Owner

To configure a new Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Send and Receive Connector

The Report Actions configured under this category include the following:

Report Actions	Description
Send/Receive Connector Created/Removed	A report action to audit the creation and removal of Send and Receive Connectors
Send/Receive Connector Enable/Disable 2008	A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2008 environment
Send/Receive Connector Enable/Disable 2003	A report action to audit enabling and disabling of Send and Receive Connectors in Windows Server 2003 environment
Send Connector Changes 2008	A report action to audit the changes made to Send Connector in Windows Server 2008 environment.
Receive Connector Changes 2008	A report action to audit the changes made to Receive Connector in Windows Server 2008 environment.
Send Connector Changes 2003	A report action to audit the changes made to Send Connector in Windows Server 2003 environment.
Receive Connector Changes 2003	A report action to audit the changes made to Receive Connector in Windows Server 2003 environment.

To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Hub Transport Settings Category

The Report Actions configured under this category include the following:

Report Actions	Description
Hub Transport Settings 2008	A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008
Hub Transport Settings 2003	A report action to audit the changes made to the Hub Transport Server in Windows Server Environment 2008

To configure a new Send and Receive Connector Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Admin Audit Log Category

The Report Actions configured under this category include the following:

Report Actions	Description	Cmdlet(s) Used
Mailbox Permission Changes	A report action to audit the changes made to mailbox permissions.	Add-MailboxPermission Remove-MailboxPermission Add-ADPermission Remove-ADPermission
Mailbox Storage Quota Changes	A report action to audit the changes made to storage quotas of mailboxes.	Set-Mailbox
Mailbox Move Request	A report action to audit the mailboxes that were moved.	Update-MovedMailbox
Mailbox Create/Delete	A report action to audit the creation and deletion of mailboxes in the organization.	New-Mailbox Remove-Mailbox Enable-Mailbox
Send and Receive Connector Changes	A report action to audit the changes made to Send and Receive Connectors in the organization.	New-SendConnector Set-SendConnector Remove-SendConnector New-ReceiveConnector Set-ReceiveConnector Remove-ReceiveConnector
Circular Logging Changes	A report action to audit the changes made to the circular logging setting of the databases.	Set-MailboxDatabase
Hub Transport Settings Changes	A report action to audit the changes made to hub transport settings in the organization.	Set-TransportConfig Set-TransportServer
Cmdlets Summary	A report action to audit the active cmdlets that run within the Exchange Server.	Add-ADPermission

To configure a new Admin Audit Log Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Advanced Mailbox Audit Logging Category

The Report Actions configured under this category include the following:

Report Actions	Description	Cmdlet(s) Used
Mails Deleted	A report action to audit the mails deleted by users.	Search-MailboxAuditLog Operations: HardDelete, SoftDelete, MoveToDeletedItems
Mails Moved	A report action to audit the mails moved by users.	Search-MailboxAuditLog Operations: Move

To configure a new Advanced Mailbox Audit Logging action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Mailbox Folder Permission Changes Category

The Report Actions configured under this category include the following:

Report Actions	Description	Cmdlet(s) Used
Mailbox Folder Permission Changes	A report action to audit the modified mailbox folder permissions.	Add-MailboxFolderPermission Remove-MailboxFolderPermission Set-MailboxFolderPermission

Report Actions

Description

Cmdlet(s) Used

Mailbox Folder Permission Changes

A report action to audit the modified mailbox folder permissions.

Add-MailboxFolderPermission

Remove-MailboxFolderPermission

Set-MailboxFolderPermission

To configure a new Mailbox Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Public Folder Permission Changes Category

The Report Actions configured under this category include the following:

Report Actions	Description	Cmdlet(s) Used
Public Folder Permission Changes	A report action to audit the changes made to public folders	Add-PublicFolderAdministrativePermission Remove-PublicFolderAdministrativePermission Remove-PublicFolderClientPermission Add-PublicFolderClientPermission

Report Actions

Description

Cmdlet(s) Used

Public Folder Permission Changes

A report action to audit the changes made to public folders

Add-PublicFolderAdministrativePermission

Remove-PublicFolderAdministrativePermission

Remove-PublicFolderClientPermission

Add-PublicFolderClientPermission

To configure a new Public Folder Permission Changes Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Distribution List Auditing Category

The Report Actions configured under this category include the following:

Report Actions	Description
Distribution List Created and Deleted	A report action to audit the creation/removal of a security-disabled (local/global/universal) group (Distribution List).

To configure a new Distribution List Auditing Category action, the same set of steps mentioned for Mailbox Logon Action creation can be followed.

Distribution List Members Auditing Category

The Report Actions configured under this category include the following:

Report Actions	Description
Distribution List Member Added and Removed	A report action to audit the addition/removal of security-disabled (local/global/universal) group (Distribution List) members..

Previous Topic Next Topic