Exchange: How to Monitor Who Accessed a Shared Mailbox
Why It Is Important
Shared mailboxes are a great way for a specific group of people to perform certain tasks from a common account; at the same time, however, they introduce a high risk of security incidents. Non-owners with privileged rights can access shared mailboxes, and there’s always a chance that they might improperly handle email with sensitive information. Whether accidentally or maliciously, a message could be deleted, sent to a wrong recipient, or moved to another location, any of which may result in data loss or leaks. In order to avoid security incidents, it is highly recommended that users regularly monitor non-owner access to shared mailboxes.
Native Auditing
1. Run the following command in Exchange Management Shell to enable mailbox auditing in the mailbox where you want to track non-owner access:
Set-Mailbox –Identity “TestUser” -AuditEnabled $true
2. If you want to audit all mailboxes, enter this:
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
3. To check for what mailboxes have audit enabled, run the following:
Get-Mailbox | FL Name,AuditEnabled
4. Run the following command to retrieve audit log entries:
Search-MailboxAuditLog -Identity "TestUser" -LogonTypes Admin,Delegate -ShowDetails -StartDate 1/1/2014 -EndDate 12/31/
5. This command will help you send mailbox audit log entries to a specified email address:
New-MailboxAuditLogSearch "smtp.server.name" -Mailboxes "TestUser","TestUser1" -LogonTypes Admin,Delegate -StartDate 1/1/2014 -EndDate 12/31/2014 –ShowDetails -StatusMailRecipients auditors@test.local
https://img.netwrix.com/landings/howtofriday/9/Native_nomba.png
Real Life Use Case
Credits
Originally posted at https://www.netwrix.com/how_to_monitor_who_accessed_shared_mailbox.html