General
This check verifies if mailbox audit logging is enabled at a global level.
Rationale
Mailbox Auditing allows forensic and Incident Response teams to trace malicious activity in the event of an attack.
Note: without Advanced Auditing (an E5 feature), the logs have a limited retention of 90 days.
In the Microsoft configuration, there is a setting called AuditDisabled. This has been set to OFF by default since 2019, but can be adjusted by an administrator. Disabling it means that actions within mailboxes can no longer be traced. If Audit logging is disabled, it may indicate various scenarios:
- This Microsoft365 tenant is old and existed before this setting was introduced as default
- The setting has been deliberately adjusted by an employee, with or without understanding the consequences
- An administrator's account has been compromised and the attacker is attempting to hide their actions
In all cases, it is crucial to verify any changes, hence this alert.
Attic Fix
A fix is available for this check! It will be offered via a ticket in Attic, which you can then accept.
Manual Instruction
Follow these steps to adjust the setting using PowerShell:
- Connect to ExchangeOnline using Connect-ExchangeOnline
- Execute the following command:
Set-OrganizationConfig -AuditDisabled $false
CIS Mapping
- CIS Item: 6.1.1 - Ensure 'AuditDisabled' organizationally is set to 'False'
-
Profile: Level 1
Comments
0 comments
Please sign in to leave a comment.