The Archive Search Auditing and Alerting features provide additional security and auditing options for administrative archive searches by enforcing a 'search reason' for each search. When enabled, any administrator attempting to run an archive search will be required to enter a search reason before the search is executed.
Search reasons are logged in the Message Search Logs to allow you to audit administrative searches to ensure they are being carried out in accordance with any company or regulatory policies in your organization.
What information is logged?
The message search logs always record the time the search was executed, the email address of the administrator who executed the search, the search source, description, and date filters.
The search reason entered by the administrator is also logged for auditing purposes.
Where are search reasons enforced?
An administrator attempting to run a search or view search results from the following areas will be required to provide a search reason:
- Archive Search
- Saved Search
- Smart Tags
- File Archive tags
- Lync IM tags
- Exports of Saved Searches
- Exports of eDiscovery cases
- Viewing results of searches within eDiscovery cases
How to enable search auditing
This feature is enabled using the “Enforce Archive Search Reason” setting in the Administration Console under the Administration | Account | Account Settings menu and then selecting System Notification Options. This setting is only available to administrators assigned to the Super Administrator role.
If Privileged Access Notifications are enabled, the search reason will also be included in these notifications.
How to view Message Search Logs
Message Search Logs are accessed in the Administration | Archive | Search Logs menu in the Administration Console.