6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False'

Information

The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the AuditEnabled property on the mailbox is False), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization.

Turning off mailbox auditing on by default ($true) has the following results:

Mailbox auditing is turned off for your organization.

From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).

Mailbox auditing isn't turned on for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True is ignored.

Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.

Existing mailbox audit records are retained until the audit log age limit for the record expires.

The recommended state for this setting is False at the organization level. This will enable auditing and enforce the default.

Rationale:

Enforcing the default ensures auditing was not turned off intentionally or accidentally. Auditing mailbox actions will allow forensics and IR teams to trace various malicious activities that can generate TTPs caused by inbox access and tampering.

NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

Impact:

None - this is the default behavior as of 2019.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable mailbox auditing at the organizational level:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell command:

Set-OrganizationConfig -AuditDisabled $false

Default Value:

False

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: microsoft_azure

Control ID: 3870b2d94f8ce9a4911442e6e35e98376c74636ff6f865dd99c97bed4f7f735b