Feb 14 2018 06:01 AM
Feb 14 2018 06:01 AM
I have a PowerShell script that gets run weekly early Monday morning that sends me an Excel report on the mailing rules and delegates. But I somehow am still getting no score on it (sometimes it counts it, sometimes it doesn't). In the description, it states that I can also look for the creation of rules through Audit Log Search. I cannot figure out what option to choose inside of the Security & Compliance Audit Log Search... Is there one?
Feb 14 2018 10:25 AM
Not sure what you mean by "score", perhaps you can share the script? Owner-created rules are not audited in Exchange Online btw.
Feb 14 2018 10:43 AM - edited Feb 14 2018 10:46 AM
One of the items you are supposed to check are "Review mailbox forwarding rules weekly". If you expand the option, the description says: "There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search." If you click on Learn More and click on the Review button, you are taken to this page: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/DumpDelegatesandForwardingRules.p... I have set up this in a schedule to run every Monday morning at 1am. It takes about 8 hours to run and I receive an email of the results. If it was successful, I am supposed to get a score of 5 points. I am now at 0 today for that review. I am curious how to search for newly created rules in mailboxes in the Audit Search.
May 18 2018 07:13 AM
The Mailbox Forwarding Rules does not seem to be working. I have a report that is run from a server and sent to me as an excel attachment that has the mailbox forwarding rules. What is the criteria for this to be considered as accomplished?
May 18 2018 08:00 AMSolution
May 21 2018 04:11 AM
@Aaron Myers wrote:
I think the only way you get the score on the security & compliance Secure Score page is by actually clicking on the link to go to the github page where the PS is located. They need to add in a way to check it off for use cases where we are already running the script.
That. Is. Asinine. So, it doesn't check if you actually have checked the forwarding rules, but if you have actually visited the page where the PowerShell script resides. Huh. I got credit doing that... Just wish they would change the verbiage stating that you can go to the Audit Logs and check on who created rules (which is not possible).