Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at email@example.com
LEM can be used to forensically track suspicious activity. You can build filters or ndepth searches to locate a user account deleting emails from a specific exchange mailbox.
Note: Exchange 2010+ has greater auditing possibilities.
This may not be possible and here is how to find out:
Using nDepth you will be able to narrow down your search and forensically isolate a particular user. You will need a Useful Event ID (ProviderSID in LEM)
563 Object Open for Delete
564 Object Deleted
Start by checking for the above eventIDs on the Detection IP for the Exchange server.
Any Alert.DetectionIP = 10.10.10.10 |-AND-| Any Alert.ProviderSID = 564
(10.10.10.10 is an example ipAddress)
Other than that there is not much else you can do on Exchange 2003 - Mailbox auditing was not introduced until 2010.
You may see unexpected results associated with a particular user.
The process when building a specific filter is to narrow down the filter, recreate the issue and narrow further. Generally the narrowing process only has to be done twice unless there are many similar events.
The following documents provide guidelines on the filter and rule creation process below.