Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Mailbox Auditing disabled [CHK-1067]

This check verifies if mailbox audit logging is enabled at a global level.

Rationale

Mailbox Auditing allows forensic and Incident Response teams to trace malicious activity in the event of an attack. Without Advanced Auditing (an E5 feature), the logs have a limited retention of 90 days. If Audit logging is disabled, it may indicate various scenarios:

  1. This Microsoft365 tenant is old and existed before this setting was introduced as default.
  2. The setting has been deliberately adjusted by an employee, with or without understanding the consequences.
  3. An administrator's account has been compromised and the attacker is attempting to hide their actions.

Fix

An automated fix is available through Attic. To fix it yourself:

  1. Connect to ExchangeOnline using Connect-ExchangeOnline.
  2. Execute the following command: Set-OrganizationConfig -AuditDisabled $false.

Impact

Enabling auditing on mailboxes results in logging of actions in a mailbox, such as deleting of emails and creation of rules.

More Information

CIS Mapping

  • CIS Item: 6.1.1 - Ensure 'AuditDisabled' organizationally is set to 'False'
  • Profile: Level 1