The archive search auditing and alerting features provide additional security and auditing options for administrative archive searches, by enforcing a 'search reason' for each search. When enabled, any administrator attempting to run an archive search is required to enter a search reason before the search is executed. Search reasons are logged in the Message Search Logs, to allow you to audit administrative searches. This ensures they are being carried out in accordance with any company or regulatory policies in your organization.
The message search logs record the:
- Time the search was executed.
- Email address of the administrator who executed the search.
- Search source
- Date filters
- Search reason
Where are Search Reasons Enforced?
An administrator attempting to run a search or view search results from the following areas is required to provide a search reason:
- Archive Search
- Saved Search
- Smart Tags
- File Archive tags
- Lync IM tags
- Exports of Saved Searches
- Exports of eDiscovery cases
- Viewing results of searches within eDiscovery cases
Enabling Search Auditing
This feature is enabled using the “Enforce Archive Search Reason” setting in the Administration Console under the Administration | Account | Account Settings menu and then selecting System Notification Options. This setting is only available to administrators assigned to the Super Administrator role.
If Privileged Access Notifications are enabled, the search reason will also be included in these notifications.
Viewing Message Search Logs
Message Search Logs are accessed in the Administration | Archive | Search Logs menu in the Administration Console.