EXO : Auditing Exchange Transport Rules


This particular post covers being able to successfully audit who has been amending Exchange Transport rules, this particular article is targeted at Exchange Online, and this information will also only work for Exchange Online.

Connect-ExchangeOnline

Then, once you are connected, you need to run the command below, changing the dates to match your requirements, remember, this is USA dates so the month comes before the day:

Search-UnifiedAuditLog -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Operations New-TransportRule, Set-TransportRule, Enable-TransportRule, Disable-TransportRule, Remove-TransportRule | Format-Table

This will report on the desired dates on any changed transport rules, unfortunately, that particular version doesn’t really tell you what change because that will be in the truncated field under activity in the format of a JSON formatted file.

This means we need to add a little script to extract the name of the transport rule that being edited so you end up with the username and the rule that has been edited, this could be accomplished with the script below:

Script : AdminActions.ps1

You will need to set your date variables to match your required timeframe, remember this is in the USA format.

# Set your date range
$startDate = "11/01/2024"
$endDate = "11/11/2024"

# Define transport rule operations to audit
$operations = @(
    "New-TransportRule",
    "Set-TransportRule",
    "Enable-TransportRule",
    "Disable-TransportRule",
    "Remove-TransportRule"
)

# Search the audit log and process the results
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations $operations | 
ForEach-Object {
    $auditData = $_.AuditData | ConvertFrom-Json
    
    # Create custom object with desired properties
    [PSCustomObject]@{
        Timestamp = $_.CreationDate
        User = $auditData.UserId
        Operation = $auditData.Operation
        RuleName = $auditData.ObjectId
        Result = $auditData.ResultStatus
    }
} | Export-Csv -Path "TransportRuleChanges.csv" -NoTypeInformation

That will give you a report like this, which now includes the "Rule Name" so you can see how has been changing what rules:


This will give you an overview of who changed what transport rule, however if you want to dive into the data in more detail then you need to perform an "Audit Search” from this link here


Set the date range to the desired values then set the operation names as this string:

New-TransportRule,Set-TransportRule,Enable-TransportRule,Disable-TransportRule,Remove-TransportRule

 That should look like this, when completed hit search:


When the search is complete you should get the option to click on the "Completed" hyperlink as below:


This will then provide you with a clickable report where you can drill into the individual details from the portal.

Previous Post Next Post

نموذج الاتصال