Filter by Shared Mailbox, not user.

%3CLINGO-SUB%20id%3D%22lingo-sub-363115%22%20slang%3D%22en-US%22%3EFilter%20by%20Shared%20Mailbox%2C%20not%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363115%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20had%20an%20instance%20in%20a%20Shared%20Mailbox%20where%20somebody%20(unknown)%20deleted%20a%20large%20amount%20of%20emails.%20I'm%20trying%20to%20find%20a%20way%20to%20identify%20who%20the%20user%20was.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20far%20I%20can%20filter%20down%20to%3A%3CBR%20%2F%3EActivities%3A%20%22MoveToDeletedItems%2C%20HardDelete%2C%20SoftDelete%22%26nbsp%3B%3C%2FP%3E%3CP%3EApp%3A%20%22Microsoft%20Exchange%20Online%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThis%20is%20where%20I%20get%20stuck%2C%20I'm%20now%20seeing%20this%20for%20all%20mailboxes%20and%20cannot%20find%20a%20way%20to%20specify%20the%20Shared%20Mailbox%20in%20question.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20someone%20please%20filter%20on%20mailbox%20and%20not%20user%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-363115%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-363138%22%20slang%3D%22en-US%22%3ERe%3A%20Filter%20by%20Shared%20Mailbox%2C%20not%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-363138%22%20slang%3D%22en-US%22%3E%3CP%3EMailbox%20auditing%20is%20not%20enabled%20by%20default%20for%20shared%20mailboxes%2C%20so%20you%20might%20simply%20not%20have%20any%20of%20those%20events.%20In%20any%20case%2C%20instead%20of%20using%20the%20CAS%20UI%2C%20run%20the%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESearch-MailboxAuditLog%3C%2FFONT%3E%20cmdlet%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance-audit%2Fsearch-mailboxauditlog%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fpolicy-and-compliance-audit%2Fsearch-mailboxauditlog%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi All,

We had an instance in a Shared Mailbox where somebody (unknown) deleted a large amount of emails. I'm trying to find a way to identify who the user was. 

So far I can filter down to:
Activities: "MoveToDeletedItems, HardDelete, SoftDelete" 

App: "Microsoft Exchange Online"


This is where I get stuck, I'm now seeing this for all mailboxes and cannot find a way to specify the Shared Mailbox in question. 

Can someone please filter on mailbox and not user? 

1 Reply
Highlighted

Mailbox auditing is not enabled by default for shared mailboxes, so you might simply not have any of those events. In any case, instead of using the CAS UI, run the Search-MailboxAuditLog cmdlet: https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/search-mailb...