Enterprise Vault™ Auditing

Last Published:
Product(s): Enterprise Vault (12.3)

Auditing general delete operations

Some data protection regulations, such as the European Union's General Data Protection Regulation (GDPR), include the "Right to be Forgotten". This regulation supports requests to delete personal information that no longer needs to be held in an organization's storage system. You can use Enterprise Vault auditing to provide evidence that the information has been deleted.

This section describes how you can set up Enterprise Vault to support requests to delete specific information in Enterprise Vault. Example searches show how you can retrieve the audit entries that provide evidence of the item delete operations. The examples in this section relate to general delete operations in Enterprise Vault.

A Privileged Delete feature is available in Discovery Accelerator. This feature allows administrators with special privileges to delete items to comply with data regulations. A similar feature is also available to third-party applications that use the Enterprise Vault API. Enterprise Vault audit entries for these operations identify that the delete operation was performed as part of data regulation compliance. For this reason, the SQL searches and results for privileged delete operations are slightly different from those for general delete operations.

See Auditing privileged delete operations.

Table: Steps to provide evidence of item deletion gives an example of the steps that you can take to provide audit database entries as evidence that specific data has been deleted from archives.

To facilitate searching, this example includes the use of the Enterprise Vault Classification feature. You can configure the Enterprise Vault classification feature to tag different types of information when it is archived. For example, Enterprise Vault classification can apply the tag, evtag.category:PII, to personally identifiable information (PII).

Table: Steps to provide evidence of item deletion



More information


Check that the site setting, Enable recovery of user deleted items, is not selected.

If "Right to be Forgotten" requests are likely, it is important that this site setting is not enabled. This ensures that items cannot be restored after the "Right to be Forgotten" request has been carried out.


Check that auditing is enabled, and the required audit categories are selected.

Enable Enterprise Vault auditing.

In the properties of the Enterprise Vault server, the auditing categories that need to be enabled for this example are Advanced Search and Delete. The summary level is sufficient for the Delete category.


Search for the items to delete.

In this example, we use Enterprise Vault Search to search an Exchange Mailbox archive for the data to delete.

Before performing the search, ensure that the administrator who performs the search has adequate permission on the user's archive to delete items.

The search entered is: 'evtag.category:PII'

The actual search performed by Enterprise Vault Search is:

'(NOT sens:2) AND (evtag.category:PII)'

This means that any items marked as 'Private' in Outlook are not returned in the search; Enterprise Vault Search does this filtering automatically.


Use Enterprise Vault Search to delete all returned results.

In the search policy, ensure that item deletion is enabled.

In Enterprise Vault Search, right-click the item to delete, and select Delete.


Repeat the same search in Enterprise Vault Search.

It is important to repeat the same search to show that the correct items were deleted.


Search for the delete operation entries in the audit database.

Extract the relevant part of the audit trail using suitable SQL queries. The search queries can be based on, for example, audit date, archive ID, and so on.

See Example query search for general item delete audit entries.

See Example query search for privileged delete audit entries.