πΌ Management Samenvatting
Configureer comprehensive mailbox audit actions om ALLE relevante acties te loggen (Update, Move, Delete, SendAs, etc.).
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
6u (tech: 4u)
Van toepassing op:
β Exchange Online
Standaard auditing logt basic actions, maar comprehensive logging vereist explicit configuration van alle kritieke acties: Update (email modified), Move (moved to folders), MoveToDeletedItems/SoftDelete/HardDelete (deletion tracking), SendAs/SendOnBehalf (delegation tracking), Maak aan (new items), FolderBind (folder access). Voor forensics en compliance MOETEN alle acties gelogd worden.
PowerShell Modules Vereist
Primary API: Exchange Online
Connection:
Required Modules: ExchangeOnlineManagement
Connection:
Connect-ExchangeOnlineRequired Modules: ExchangeOnlineManagement
Implementatie
Configureer AuditAdmin, AuditDelegate, AuditOwner met comprehensive action lists voor alle mailboxes.
- Set-Mailbox voor alle mailboxes met comprehensive AuditAdmin, AuditDelegate, AuditOwner actions
- Vereiste actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, FolderBind
Implementatie
Gebruik PowerShell-script mailbox-audit-actions.ps1 (functie Invoke-Remediation) β Configureer comprehensive audit actions voor alle mailboxes.
- Set-Mailbox voor alle mailboxes met comprehensive AuditAdmin, AuditDelegate, AuditOwner actions
- Vereiste actions: Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create, FolderBind
Monitoring
Gebruik PowerShell-script mailbox-audit-actions.ps1 (functie Invoke-Monitoring) β Controleren.
- Sample mailbox audit action coverage
- Verifieer comprehensive logging
Compliance en Auditing
- BIO 12.04 - Comprehensive logging
- ISO 27001 A.12.4.1
Remediatie
Gebruik PowerShell-script mailbox-audit-actions.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 12.04.01 - Comprehensive audit actions
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Mailbox Audit Actions Configured
.DESCRIPTION
Ensures comprehensive audit actions are configured for all mailboxes
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference = 'Stop'
$requiredActions = @('Update', 'Move', 'MoveToDeletedItems', 'SoftDelete', 'HardDelete', 'FolderBind', 'SendAs', 'SendOnBehalf', 'Create')
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Audit Actions" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Mailbox Audit Actions Configured
.DESCRIPTION
Ensures comprehensive audit actions are configured for all mailboxes
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
$requiredActions = @('Update','Move','MoveToDeletedItems','SoftDelete','HardDelete','FolderBind','SendAs','SendOnBehalf','Create')
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Audit Actions" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$mailboxes = Get-Mailbox -ResultSize 10 -ErrorAction Stop
$result = @{ checked = $mailboxes.Count; compliant = 0; nonCompliant = 0 }
Write-Host " Checking sample of $($result.checked) mailboxes..." -ForegroundColor Cyan
foreach ($mb in $mailboxes) {
$auditActions = $mb.AuditAdmin + $mb.AuditDelegate + $mb.AuditOwner
$hasRequired = $true
foreach ($action in $requiredActions) {
if ($auditActions -notcontains $action) {
$hasRequired = $false
break
}
}
if ($hasRequired) {
$result.compliant++
}
else {
$result.nonCompliant++
}
}
Write-Host "`n Summary:" -ForegroundColor Cyan
Write-Host " Compliant: $($result.compliant)/$($result.checked)" -ForegroundColor Green
Write-Host " Non-compliant: $($result.nonCompliant)/$($result.checked)" -ForegroundColor $(
if($result.nonCompliant -eq 0){'Green'}else{'Red'}
)
Write-Host "`n Required Actions:" -ForegroundColor Cyan
$requiredActions | ForEach-Object {
Write-Host " β’ $_" -ForegroundColor Gray
}
if ($result.nonCompliant -eq 0) {
Write-Host "`n[OK] COMPLIANT - All sampled mailboxes have full audit actions" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Some mailboxes lack full audit coverage" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host " β οΈ This will update ALL mailboxes - may take time..." -ForegroundColor Yellow
$mailboxes = Get-Mailbox -ResultSize Unlimited
$count = 0
foreach ($mb in $mailboxes) {
Set-Mailbox -Identity $mb.Identity `
-AuditAdmin Update,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create `
-ErrorAction Stop
$count++
if ($count % 100 -eq 0) {
Write-Host " Processed $count/$($mailboxes.Count)..." -ForegroundColor Gray
}
}
Write-Host "`n[OK] Updated audit actions on $count mailboxes" -ForegroundColor Green
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$mailboxes = Get-Mailbox -ResultSize 10 -ErrorAction Stop
$result = @{ checked = $mailboxes.Count; compliant = 0; nonCompliant = 0 }
Write-Host " Checking sample of $($result.checked) mailboxes..." -ForegroundColor Cyan
foreach ($mb in $mailboxes) {
$auditActions = $mb.AuditAdmin + $mb.AuditDelegate + $mb.AuditOwner
$hasRequired = $true
foreach ($action in $requiredActions) {
if ($auditActions -notcontains $action) {
$hasRequired = $false
break
}
}
if ($hasRequired) {
$result.compliant++
}
else {
$result.nonCompliant++
}
}
Write-Host "`n Summary:" -ForegroundColor Cyan
Write-Host " Compliant: $($result.compliant)/$($result.checked)" -ForegroundColor Green
Write-Host " Non-compliant: $($result.nonCompliant)/$($result.checked)" -ForegroundColor $(
if ($result.nonCompliant -eq 0) { 'Green' }else { 'Red' }
)
Write-Host "`n Required Actions:" -ForegroundColor Cyan
$requiredActions | ForEach-Object {
Write-Host " β’ $_" -ForegroundColor Gray
}
if ($result.nonCompliant -eq 0) {
Write-Host "`n[OK] COMPLIANT - All sampled mailboxes have full audit actions" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Some mailboxes lack full audit coverage" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Mailbox Audit Actions Configured
.DESCRIPTION
Ensures comprehensive audit actions are configured for all mailboxes
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
$requiredActions = @('Update','Move','MoveToDeletedItems','SoftDelete','HardDelete','FolderBind','SendAs','SendOnBehalf','Create')
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Audit Actions" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$mailboxes = Get-Mailbox -ResultSize 10 -ErrorAction Stop
$result = @{ checked = $mailboxes.Count; compliant = 0; nonCompliant = 0 }
Write-Host " Checking sample of $($result.checked) mailboxes..." -ForegroundColor Cyan
foreach ($mb in $mailboxes) {
$auditActions = $mb.AuditAdmin + $mb.AuditDelegate + $mb.AuditOwner
$hasRequired = $true
foreach ($action in $requiredActions) {
if ($auditActions -notcontains $action) {
$hasRequired = $false
break
}
}
if ($hasRequired) {
$result.compliant++
}
else {
$result.nonCompliant++
}
}
Write-Host "`n Summary:" -ForegroundColor Cyan
Write-Host " Compliant: $($result.compliant)/$($result.checked)" -ForegroundColor Green
Write-Host " Non-compliant: $($result.nonCompliant)/$($result.checked)" -ForegroundColor $(
if($result.nonCompliant -eq 0){'Green'}else{'Red'}
)
Write-Host "`n Required Actions:" -ForegroundColor Cyan
$requiredActions | ForEach-Object {
Write-Host " β’ $_" -ForegroundColor Gray
}
if ($result.nonCompliant -eq 0) {
Write-Host "`n[OK] COMPLIANT - All sampled mailboxes have full audit actions" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Some mailboxes lack full audit coverage" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host " β οΈ This will update ALL mailboxes - may take time..." -ForegroundColor Yellow
$mailboxes = Get-Mailbox -ResultSize Unlimited
$count = 0
foreach ($mb in $mailboxes) {
Set-Mailbox -Identity $mb.Identity `
-AuditAdmin Update,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create `
-ErrorAction Stop
$count++
if ($count % 100 -eq 0) {
Write-Host " Processed $count/$($mailboxes.Count)..." -ForegroundColor Gray
}
}
Write-Host "`n[OK] Updated audit actions on $count mailboxes" -ForegroundColor Green
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host " β οΈ This will update ALL mailboxes - may take time..." -ForegroundColor Yellow
$mailboxes = Get-Mailbox -ResultSize Unlimited
$count = 0
foreach ($mb in $mailboxes) {
Set-Mailbox -Identity $mb.Identity `
-AuditAdmin Update, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create `
-AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, SendAs, SendOnBehalf, Create `
-AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create `
-ErrorAction Stop
$count++
if ($count % 100 -eq 0) {
Write-Host " Processed $count/$($mailboxes.Count)..." -ForegroundColor Gray
}
}
Write-Host "`n[OK] Updated audit actions on $count mailboxes" -ForegroundColor Green
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Mailbox Audit Actions Configured
.DESCRIPTION
Ensures comprehensive audit actions are configured for all mailboxes
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
$requiredActions = @('Update','Move','MoveToDeletedItems','SoftDelete','HardDelete','FolderBind','SendAs','SendOnBehalf','Create')
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Audit Actions" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$mailboxes = Get-Mailbox -ResultSize 10 -ErrorAction Stop
$result = @{ checked = $mailboxes.Count; compliant = 0; nonCompliant = 0 }
Write-Host " Checking sample of $($result.checked) mailboxes..." -ForegroundColor Cyan
foreach ($mb in $mailboxes) {
$auditActions = $mb.AuditAdmin + $mb.AuditDelegate + $mb.AuditOwner
$hasRequired = $true
foreach ($action in $requiredActions) {
if ($auditActions -notcontains $action) {
$hasRequired = $false
break
}
}
if ($hasRequired) {
$result.compliant++
}
else {
$result.nonCompliant++
}
}
Write-Host "`n Summary:" -ForegroundColor Cyan
Write-Host " Compliant: $($result.compliant)/$($result.checked)" -ForegroundColor Green
Write-Host " Non-compliant: $($result.nonCompliant)/$($result.checked)" -ForegroundColor $(
if($result.nonCompliant -eq 0){'Green'}else{'Red'}
)
Write-Host "`n Required Actions:" -ForegroundColor Cyan
$requiredActions | ForEach-Object {
Write-Host " β’ $_" -ForegroundColor Gray
}
if ($result.nonCompliant -eq 0) {
Write-Host "`n[OK] COMPLIANT - All sampled mailboxes have full audit actions" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Some mailboxes lack full audit coverage" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host " β οΈ This will update ALL mailboxes - may take time..." -ForegroundColor Yellow
$mailboxes = Get-Mailbox -ResultSize Unlimited
$count = 0
foreach ($mb in $mailboxes) {
Set-Mailbox -Identity $mb.Identity `
-AuditAdmin Update,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditDelegate Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,SendAs,SendOnBehalf,Create `
-AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create `
-ErrorAction Stop
$count++
if ($count % 100 -eq 0) {
Write-Host " Processed $count/$($mailboxes.Count)..." -ForegroundColor Gray
}
}
Write-Host "`n[OK] Updated audit actions on $count mailboxes" -ForegroundColor Green
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: HOOG forensics risk - incomplete audittrails bij incidents.
Management Samenvatting
Configureer comprehensive mailbox audit actions. Alle kritieke acties gelogd. Implementatie: 4-6 uur (processing alle mailboxes).
- Implementatietijd: 6 uur
- FTE required: 0.05 FTE