none
Need to export auditing logs for a shared mailbox using Powershell RRS feed

  • Question

  • Hi Team,

    Scenario: There was an inbox rule within the shared mailbox, It has been deleted twice. we wanted to know how and who removed these rules? I've tried to fetch Audit logs but .xml file doesn't show any activity related with the deletion of the inbox rules. I've tried "Run the admin audit log report" too but it shows more than 500 results for the same date as we've more than 30,000 mailboxes, due to which i cannot see who made these changes. 

    Now what i am thinking is, what if we can have a PowerShell script to fetch report for a specific mailbox, Is it possible?

    Thank you

    Monday, October 21, 2019 9:32 PM

All replies

  • Hi,

    From this article, we can know that we can check UpdateInboxRules action for Inbox Rule:

    So, you can use command below to check which one done this action before:

    Search-MailboxAuditLog -Identity Shared -LogonTypes Owner,Admin,Delegate -ShowDetails -StartDate 10/1/2019 -EndDate 10/22/2019 | Where-Object {$_.Operation -eq "UpdateInboxRules"}

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, October 22, 2019 2:18 AM
    Moderator
  • If you mean for the admin audit log, you can limit it to specific objectIDs only by using the -ObjectID parameter. Do note that the values will differ depending on the type of cmdlet, as they might reference the entire mailbox, a folder within the mailbox, a rule ID, etc.

    You can also just filter it for the cmdlets in question:

    Search-AdminAuditLog -Cmdlet Remove-InboxRule,Set-InboxRule

    Tuesday, October 22, 2019 7:32 AM
  • Thank you @Kyle.Xu for sharing this, I did try this command too. It's not giving any output, Interesting part is that it's not even giving any error.  I tried to update this attribute just to make sure if it has this attribute to show the results using below command it did not help too.

    Set-Mailbox -Identity "abc@contoso.com" -AuditDelegate @{Add="UpdateInboxRules"} -AuditAdmin @{Add="UpdateInboxRules"}

    Tuesday, October 22, 2019 9:58 PM
  • Thank you Vasil for looking into this issue, I did try search-adminauditlog cmdlet but it didn't work, in fact it did not give me any output or error. Same as provided by Kyle.xu
    Tuesday, October 22, 2019 10:02 PM
  • If so, I think this Inbox rule for shared mailbox mayn't be created successfully or it may not be deleted. Could you provide more detail information about how do you create this inbox rule and how do you know it's gone.

    About mailbox audit log, you should add this operation into monitoring list before this action happen. Otherwise, you will cannot find the correct information from it.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, October 25, 2019 8:50 AM
    Moderator
  • User created this inbox rule on 29th July, strange thing is that i can see this activity when i check audit logs for 29th July. I am sure i should be able to see the same logs for 9th Oct. when user reported that rules were deleted but the problem is that when i run Audit logs for 9th Oct. it shows so many results for the changes made by AADC on the same day and because it shows only 500 results in the interface it doesn't show me the result for this shared mailbox. I did export the audit logs file but i couldn't find any deletion activity there.

    I did stamp Updateinboxrules manually to the shared mailbox though

    Can we involve someone who's good in scripting and can help us exporting the audit logs specifically for this shared mailbox? 

    Friday, October 25, 2019 4:49 PM
  • Since add action could be recorded by mailbox audit, I think the delete action will also be recorded.

    In this scenario, I would suggest you try to recreate this inbox rule again, then try to delete it manually. Then check from mailbox audit to confirm whether this action is recorded.

    I also want to confirm with you that whether is this phenomenon occurs on other shared mailbox? If this phenomenon doesn't occurs on other shared mailbox, you can try to use a new one to replace this old one.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, October 30, 2019 9:05 AM
    Moderator