Link to home
Start Free TrialLog in
Avatar of dhumes0524
dhumes0524

asked on

Exchange 2010 Discovery Search Audit

Hello, I am looking at some kind of possible breach in our Exchange environment.  We have multi-mailbox search disabled for all users (we are only licensed for Standard).  I  know this was correct and verified 2 weeks ago.  Today, I went in and looked and see that a generic administrator account that we have has been added to the Discovery Management role to allow mailbox searches.  I didn't do this.  
What kind of audit log checking should I do to see who enabled this role for this administrator account, and if they performed any mailbox searches?

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of davorin
davorin
Flag of Slovenia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dhumes0524
dhumes0524

ASKER

I have auditing enabled, but I am wondering if I always did...although I never specifically turned it on myself.  I implemented my Exch. 2010 environment in December, but none of the changes done during initial setup shows up in my Auditing logs (regarding assigning roles to users).  The earliest entry in my audit log is February, so maybe the Auditing wasn't turned on until then.  Either way, thanks for the response.  I will read through it all and see if I can find anything else.
Avatar of davorin
davorin
Flag of Slovenia image
Auditing is automatically enabled at installation time from SP1, but SP2 is already available for one year now. I doubt that you have not installed SP2 at installation time.
One option is that the logs have exceeded max size and the oldest entries are deleted.