Hello, I am looking at some kind of possible breach in our Exchange environment. We have multi-mailbox search disabled for all users (we are only licensed for Standard). I know this was correct and verified 2 weeks ago. Today, I went in and looked and see that a generic administrator account that we have has been added to the Discovery Management role to allow mailbox searches. I didn't do this.
What kind of audit log checking should I do to see who enabled this role for this administrator account, and if they performed any mailbox searches?