cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best way to find out what happened in a shared mailbox through the audit logs?

Steve Hernou
Iron Contributor

‎Mar 04 2019 04:17 AM

‎Mar 04 2019 04:17 AM

Best way to find out what happened in a shared mailbox through the audit logs?

Hi everyone

 

I have a case where someone claims several mails between Jan 1st and Febr 27th were not received into a specific shared mailbox.

 

I checked message trace and there I can find all of them with a state of 'delivered to Inbox'. 

 

Now I know that doesn't automatically mean 'well someone must have deleted them' so I need to find out what exactly happened to those mails after getting to the Inbox.

 

The fact that it's a shared mailbox (with 8 people having access) means I will have to look at audit logs of all 8 people but for such a long period of time, I fear if I just look for deleted/purged items for all 8 users, I am going to get a huge file which will be very difficult to sifle through.

 

The subject of the missing mails is always the same but haven't found an 'ItemSubject' variable I can use on EXO....

 

Any tips on how to best tackle this and next steps if audit log does not provide answers?

Labels:
3,183 Views
0 Likes
2 Replies
Reply
2 Replies
Vasil Michev

‎Mar 04 2019 06:54 AM

‎Mar 04 2019 06:54 AM

Re: Best way to find out what happened in a shared mailbox through the audit logs?

Auditing isn't enabled by default for shared mailboxes, so you might not get any information from there. I'd suggest doing a mailbox search or eDiscovery content search for the missing messages (both of these accept a subject query).

1 Like
Reply
Steve Hernou

‎Mar 05 2019 12:15 PM

‎Mar 05 2019 12:15 PM

Re: Best way to find out what happened in a shared mailbox through the audit logs?

Thanks Vasil. Mailbox search did the trick. They were effectively deleted but of course, nobody actually deleted them when you ask the people who have access to the shared mailbox :)

0 Likes
Reply