| • | The Exchange subsystem is used for administration, searching and reporting on the Exchange events contained in the following facilities: | 
| • | The Microsoft 365 subsystem is used for administrators, searching and reporting on events contained in the following facilities: | 
| 2  | In the explorer view (left pane), expand the Shared | Built-in | All Events folder. | 
| 3  | Locate and double-click All Exchange Events. | 
| NOTE: To retrieve the Exchange events captured over the last 24 hours, use the All Exchange Events in the last 24 hours report under the Shared | Built-In | Recommended Best Practice | Exchange folder. | 
| 2  | 
| 3  | Click New to enable the Search Properties tabs across the bottom of the Searches page. | 
| 5  | On the What tab, expand Add and click Subsystem | Exchange to display the Add Exchange Container dialog. | 
| NOTE: You can use Add with Events | Subsystem | Exchange to search for an entity that already has an event associated with it in the database. | 
| • | All Exchange Objects - select to include all objects. (Default when Add is used.) | 
| • | This Object - select to include the selected objects only. (Default when Add With Events is used.) | 
| • | This Object and Child Objects Only - select to include the selected objects and its direct child objects. | 
| • | This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels). | 
| • | Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.  | 
| 7  | By default, All Actions is selected meaning that all the activity associated with the object generates an audited event. However, you can clear the All Actions option and select individual options. The options available are: | 
| • | All Actions - select to include when any of the following actions occur (Default) | 
| • | Add Attribute - select to include when an attribute is added | 
| • | Delete Attribute - select to include when an attribute is deleted | 
| • | Modify Attribute - select to include when an attribute is modified | 
| • | Rename Object - select to include when an object is renamed | 
| • | Add Object - select to include when an object is added | 
| • | Delete Object - select to include when an object is deleted | 
| • | Move Object - select to include when an object is moved | 
| • | Other - select to include other types of activity against the selected object | 
| 8  | By default, All Transports is selected indicating that all Exchange events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are: | 
| • | All Transports - select to include Exchange events regardless of the transport protocol used (Default) | 
| • | All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default) | 
| • | SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology | 
| • | Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption | 
| • | Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used) | 
| • | Port - select to identify a specific port used for communication | 
| NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results. | 
| 9  | When a scope other than All Exchange Objects is selected, the directory object picker is enabled to select the objects to include in the search definition.  | 
| NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Exchange containers except those listed in the ‘what’ list. | 
| NOTE: Select the Runtime Prompt check box on this dialog to prompt for an Exchange container every time the search is run.  | 
| 10  | After you have added all the Exchange containers to include in the search, click OK to save your selection and close the dialog. | 
| 2  | 
| 3  | Click New at the top of the Searches page to activate the Search Properties tabs across the bottom of the Searches page. | 
| 5  | 
| 6  | On the Add Exchange Container dialog, select the This Object scope. | 
| • | 
| • | Click Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog. | 
| 8  | After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘What’ list. |