[THEME] Logging
The Logging theme ensures that audit logs are enabled and functioning in your Microsoft 365 environment. Logs are essential for detecting, investigating, and responding to suspicious or unwanted behavior.
What does Attic do?
Attic verifies that key logging features are active, since several important logs are not enabled by default in Microsoft 365.
The checks in this theme cover:
- The unified audit log is enabled and actively receiving events
- Mailbox audit logging is turned on for all mailboxes
- Audit bypass is not enabled on any mailboxes
- The AuditDisabled setting is not active at the organization level
- Required administrative roles are assigned for proper log access
Why is this important?
Without proper logging, security incidents cannot be detected or investigated. If a breach occurs, logs provide the evidence trail needed to understand what happened, which accounts were affected, and what data was accessed. Enabling logs proactively is far more effective than trying to reconstruct events after the fact.
Checks in this theme
| ID | Check |
|---|---|
| CHK-1001 | Audit logging works |
| CHK-1002 | Microsoft 365 Auditlogs |
| CHK-1003 | Mailbox auditing |
| CHK-1055 | Mailbox auditing bypass |
| CHK-1067 | Mailbox auditing |
| CHK-1113 | Missing Roles |