We're trying to investigate a customer incident were, someone (massively) deleted emails from a folder under "Policy, Virus and Outbreak Quarantines", and the customer needs to know who actually did it !
To the best of my knowledge, this is not a config change action that would require a 'commit' so this cannot be used as an indicator.
From http and other logs we've found that, at the time, two users were logged-in the system but cannot tell which one performed the deletion. We can see the log entry for the deletion itself but, it does not capture the user that did it.
Does anyone have a way to drill-down to this info ?