Auditing : Exchange Online Transport Rules

If you are looking as to investigate, why male transport rule has been updated and more importantly, by who at what time, which is handy when something has gone wrong and you need to figure out at what point it went wrong.

Note : Enable auditing should be enabled by setting the "Severity" to a value other than "Not audit" for them to appear in the audit log, if they are all set to no auditing, they are harder to find

The first place you would obviously want to look would be the audit log built into the exchange administration, if you are still hosting your exchange on-premises this is still a very good place to go to see who has changed what:

If, however, the majority of your mailboxes are with exchange online These audit logs are less than helpful, You can run an audit log on administrator, actions, but they will come from the w3wp Service and user, which is the default context for the IIS website running Exchange

however, that being said, as this is exchange online, you get other tools you can use at your disposal, first, I would recommend you start with the transport rules reporting details option, this can be found on the link below:

once you navigate to this website, you can take a look at all the rules that are defined as transport rules, and at some point you should see a spike in one of them On the chart

Then below the chart you will see the overview of all the mails and the transport rules, here is an exmaple of one of such rule:

Alternatively, if you know the name of the rule, you think has been changed, you can drill down into that particular male rule, and take a look at the graph for that, as below and the ref bxo shows when the error was made, and the green box shows when it was fised as its back to not blocking:

Once you have an idea of the particular rule set, you can then delve right into this command:

If you run the command without any syntax, you will get a gigantic list of every single operation performed that will not be manageable whatsoever


That then looks like this on the output:

If you know, roughly the date something was updated, then you can run this command:

Remember, power show commands are always in the USA date format, which means rather than the UK format of dd/mm/yyyy you will need to use the format yyyy/mm/dd

Search-AdminAuditLog -StartTime “2024-01-10” -EndTime “2024-01-15”

That output will still have all the operations you’re not particularly bothered about that have absolutely nothing to do with transport rules because this is the administrative audit log for all Office 365 Services.

You should be able to get the "cmdlet" you need to filter for from this step before you move on, I have highlighted below how I have found the "cmdlet" I need to target:

Now, we need to filter this log, furthermore, for only things related to Set-TransportRule which you can do with the command below:

If you are looking for transport rules being created, you will need to amend that Command below to use New-TransportRule, likewise, you may also need to use Modify-TransportRule

Search-AdminAuditLog -Cmdlet Set-TransportRule

When you run this, you will get the raw output that includes everything related to the rule that was updated and a load of other attributes you may not require, Now we have this we need to filter this to only show us the attributes we’re interested in and I’ve added a date range back in as an example:

Search-AdminAuditLog -Cmdlet Set-TransportRule -StartDate "2023-12-01" -EndDate "2024-01-27" | fl Caller,ObjectModified,RunDate 

Caller         :
ObjectModified : Block Mail - Malicious
RunDate        : 17/01/2024 22:00:46

Excellent,  now we’re getting somewhere, now we have a list of who asked for the update, what rule was modified and finally the date that request was applied.

Now like in Cluedo - you have the murderer, you have the murder weapon, and you have the time of the infraction - so you can now solve this conundrum.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„