Auditing Exchange Online Transport Rule Use

I recently came across a transport rule being unnecessarily used in Exchange Online. The transport rule in question was used for DLP, and encrypted messages based on the content. It searched message bodies for strings of characters matching credit card numbers, SSN’s, etc.  I was surprised to see that there was no way to easily audit transport rule usage with Powershell, so I checked the Exchange Control Panel. There is an option for auditing in each of the transport rules:

So, what does this checkbox actually do?

Enabling this checkbox will cause this rule to appear in Message Trace logs when it is applied to a message. 

Let’s look at an example:

Here we have a transport rule in Exchange Online that appends “Outbound” to the subject line of all messages sent to external recipients:

 

After sending a message to an external recipient, we can see the rule working:

Let’s take a look at the message trace:

We can see two entries in the message trace log. The first is for applying the transport rule, and the second entry is for setting the audit severity level. I haven’t found a good explanation of the audit severity levels, other than you can filter by them when doing a message trace.

If you know of any other use for the audit severity levels, leave a comment below!

Leave a Reply