Detections
Analytics
6.1.3 Ensure mailbox auditing for E5 users is Enabled
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.
The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.
Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only.
Rationale:
Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.
The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox
NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.
Impact:
None - this is the default behavior.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To enable mailbox auditing for all user mailboxes using PowerShell:Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell script:
$AuditAdmin = @(
'ApplyRecord', 'Copy', 'Create', 'FolderBind', 'HardDelete',
'MailItemsAccessed', 'Move', 'MoveToDeletedItems', 'SendAs',
'SendOnBehalf', 'Send', 'SoftDelete', 'Update', 'UpdateCalendarDelegation',
'UpdateFolderPermissions', 'UpdateInboxRules'
)
$AuditDelegate = @(
'ApplyRecord', 'Create', 'FolderBind', 'HardDelete', 'Move',
'MailItemsAccessed', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf',
'SoftDelete', 'Update', 'UpdateFolderPermissions', 'UpdateInboxRules'
)
$AuditOwner = @(
'ApplyRecord', 'Create', 'HardDelete', 'MailboxLogin', 'Move',
'MailItemsAccessed', 'MoveToDeletedItems', 'Send', 'SoftDelete', 'Update',
'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules'
)
$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq 'UserMailbox' }
$MBX | Set-Mailbox -AuditEnabled $true '
-AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate '
-AuditOwner $AuditOwner
Note: When running this script mailboxes without an E5 or Azure Audit Premium license applied will generate an error as they are not licensed for the additional actions which come default with E5.
Default Value:
AuditEnabled: True for all mailboxes except below:
Resource Mailboxes
Public Folder Mailboxes
DiscoverySearch Mailbox
AuditAdmin: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules
AuditDelegate: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules
AuditOwner: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E5 L1 v3.0.0
References: CSCv7|6.2
Plugin: microsoft_azure
Control ID: fe089ea5f015e5093d70ab03e3e8a5c88db8393f88714164bbca790789cec93e