dhumes0524
asked on
Exchange 2010 Discovery Search Audit
Hello, I am looking at some kind of possible breach in our Exchange environment. We have multi-mailbox search disabled for all users (we are only licensed for Standard). I know this was correct and verified 2 weeks ago. Today, I went in and looked and see that a generic administrator account that we have has been added to the Discovery Management role to allow mailbox searches. I didn't do this.
What kind of audit log checking should I do to see who enabled this role for this administrator account, and if they performed any mailbox searches?
Thanks!
What kind of audit log checking should I do to see who enabled this role for this administrator account, and if they performed any mailbox searches?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Auditing is automatically enabled at installation time from SP1, but SP2 is already available for one year now. I doubt that you have not installed SP2 at installation time.
One option is that the logs have exceeded max size and the oldest entries are deleted.
One option is that the logs have exceeded max size and the oldest entries are deleted.
ASKER