This is a topic that still comes up when doing email investigations. After there has been an issue, we want to perform analysis to determine what may have happened any potentially why certain security controls did not act the way we expected.
With email one example would be around the audit information collected when an Exchange Online transport rule acts upon a message.
It is common to see that admins have removed the “Audit this rule with severity level”. As noted above this is not a new issue. If we consult Andrew Stobart’s archived blog, we can find this post Troubleshooting Transport Rules that are set to “Do not audit”. Yet another great blog that was cast into the abyss
The option is indicate below by the wonderful pink arrow. Note that the option is selected by default when creating a new rule.
Note that the term Exchange Transport Rule (ETR) is commonly used to describe these rules.
In the below test, the ETR is set with the audit option enabled. The severity level is for your use as you may deem a particular ETR to be critical and it should be listed on the high priority report. But that is all up to you as it is to help your administrative tasks.
When we perform a standard message trace, note that we see the that the message has been acted upon by the ETR.
There are two rules that acted upon the message and the entries are noted inside the red box.
If we expand the details, the names of the relevant rules are shown, In this lab the two rules that fired on this message are:
Stamp External Warning – Message Subject
Stamp External Warning – Message Body
If we disable the audit setting, again indicated by a that pink arrow, note that this changes the troubleshooting information that is available to us.
If we run a standard message trace, note that there is no indication that a transport rule fired on this message.
All we see if that the message was received, then delivered. Nothing else.
If you remove the audit this rule setting from the ETR, then you will not see any information about actions the rule has taken in a standard message trace. You will be forced to run the detailed message trace that will take considerably longer to complete.
Just leave the option enabled, unless you have a very specific reason for doing so.
Also in memory of Andrew’s blog – here is one of his trademark images: