106 Chapter 7 Security recommendationsIf you would like to monitor specific mailboxes:a. Select Selected.Result: The Add and Delete buttons are enabled.b. Type in a selected mailbox to be monitored.c. Click Add.Note: To remove a mailbox entry, highlight the entry andclick delete.5 Click Save to enable the changes.—End—Viewing the details for a specific event or return codeYou can click the Event in the System/Event Browser to open the Event CodeHelp. If the help does not automatically display the desired information, clickthe Index tab in the left pane of this help file and type the event or returncode as the keyword to find. The code is displayed in the index list, andwhen you click the code in the index list, the right pane refreshes to displaythe details for the specified event or return code.Monitoring internal and external activity by calling line IDWhen a call comes in to the system, CallPilot keeps track of the CLID, ifavailable. The CLID identifies a caller to the system. If you identify certainCLIDs as suspicious (possibly the number from which a hacker is calling in toyour system), you can use CallPilot Security Administration to monitor them.How to identify suspicious CLIDsYou might become suspicious of certain CLIDs under the followingconditions:• You receive an Excessive After-Hours Logons alert. This alert reportsthe mailbox number and caller DN (the CLID).• You run the Mailbox Call Session Summary report on mailboxes yoususpect are targets of hackers and notice calls repeatedly originatingfrom certain caller DNs.Notification of access by monitored CLIDsWhen thru-dial attempts are monitored, an alarm is generated whenever amonitored CLID gains access to the system and places an outgoing call.It does not matter how the call was transferred. All thru-dial activity thatoriginates from the monitored CLID generates an alarm.Nortel CallPilotAdministrator GuideNN44200-601 01.11 Standard5.0 9 November 2007Copyright © 2007, Nortel Networks.