June 2021 – DougSBaker

June 21, 2021May 10, 2022

Audit All Mailbox Activity

Note: Updated 11/12/2021 to include SearchQueryInitiated

Ever wanted to make sure you are auditing all available activities in Exchange Online? Me too! So I wrote a PowerShell to turn on logging for every possible item EXO can audit. Adjust to your liking and license level!

So why would you want this? Isn’t logging enabled by default in EXO? Well, sort of… According to MSFT documentation, not all available activities are enabled by default. Some of these may be inconsequential, like updating record tags, but some of these like moving an item to a folder or accessing a folder may paint an important picture of activities that happened in a mailbox. The other more important reason you would want to do this is I have noticed EXO does not always enable logging. A few times I have randomly found users with Audit logging disabled, or more commonly during license changes, E3 to E5 upgrades, not all of the Advanced Auditing turns on. Also just as a note to audit everything you will need some version of an E5, see KB articles above.

#Enable global audit logging
Get-Mailbox -ResultSize Unlimited -Filter `
 {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} `
 | Select PrimarySmtpAddress `
 | ForEach {$_.PrimarySmtpAddress
    Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true -AuditLogAgeLimit 180 `
    -AuditAdmin   @{add="ApplyRecord","Copy","Create", "FolderBind" , "HardDelete", "MailItemsAccessed",  "Move", "MoveToDeletedItems","RecordDelete", "Send", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateComplianceTag", "UpdateFolderPermissions", "UpdateInboxRules"  } `
    -AuditDelegate @{add="ApplyRecord", "Create", "FolderBind" , "HardDelete", "MailItemsAccessed" , "Move", "MoveToDeletedItems","RecordDelete",  "SendAs", "SendOnBehalf", "SoftDelete", "Update",  "UpdateComplianceTag", "UpdateFolderPermissions", "UpdateInboxRules"  } `
    -AuditOwner  @{add="ApplyRecord", "Create", "HardDelete", "MailItemsAccessed", "MailboxLogin", "Move", "MoveToDeletedItems","RecordDelete", "Send",  "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateComplianceTag", "UpdateFolderPermissions", "UpdateInboxRules", "SearchQueryInitiated"  }
   }# #

#Double-Check It!
$FormatEnumerationLimit=-1
Get-Mailbox -ResultSize Unlimited | select Name, email, AuditEnabled, AuditLogAgeLimit, Auditowner, auditdelegate, AuditAdmin  | Out-Gridview

June 16, 2021June 16, 2021

Find EOP – MDO Misconfig with KQL

One of the biggest/most common misconfigurations I have seen with EOP/MDO is an overuse of IP or domain allow lists. MSFT has updated its guidelines to no longer recommend customers use those features. However, the hard thing is determining how many emails are coming into your environment without scanning due to those settings. I needed to document this the other day so I went and used the new Microsoft Security Advanced Hunting to get some stats on how big this issue was for my environment. Below are some KQL examples that might help you determine if this is an issue for your environment.

//MDO Org overrides
EmailEvents
| where EmailDirection  == "Inbound"
| where Connectors == ""
| summarize count() by EmailDirection, OrgLevelAction, OrgLevelPolicy

// Domains being allowed
EmailEvents
| where EmailDirection  == "Inbound"
| where Connectors == ""
| where OrgLevelAction == "Allow"
|summarize count() by SenderFromDomain

//User Level overrides
EmailEvents
| where EmailDirection  == "Inbound"
| where Connectors == ""
| summarize count() by EmailDirection, UserLevelAction, UserLevelPolicy

The above KQL is assuming emails that come from a connector should not be scanned. If you need that in this report make sure you just add it in!

June 16, 2021

Blog Update

Had a lot of life updates since Covid, New Job, New Home all the Covid stuff. As life is starting to normalize again I am again thinking blogging would be fun! And maybe just maybe some of the stuff I post helps someone else. So my goal is to start publishing more on this blog site at least 1 a month. Since it didn’t happen in the past I am going to switch from in-depth blogs to short bite-size pieces of content. Which is really just anything I learn or find helpful, I am going to try and post.