Detections
Analytics

6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled

Information

Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.

Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.

The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.

Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only.

Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.

The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.

 - Resource Mailboxes
 - Public Folder Mailboxes
 - DiscoverySearch Mailbox

Note: Without advanced auditing (E5 function) the logs are limited to 90 days.

Solution

To remediate using PowerShell:

 - Connect to Exchange Online using Connect-ExchangeOnline
 - Run the following PowerShell script:

$AuditAdmin = @(
 "ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "Move",
 "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update",
 "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules"
)

$AuditDelegate = @(
 "ApplyRecord", "Create", "FolderBind", "HardDelete", "Move",
 "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update",
 "UpdateFolderPermissions", "UpdateInboxRules"
)

$AuditOwner = @(
 "ApplyRecord", "Create", "HardDelete", "MailboxLogin", "Move",
 "MoveToDeletedItems", "SoftDelete", "Update", "UpdateCalendarDelegation",
 "UpdateFolderPermissions", "UpdateInboxRules"
)

$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq "UserMailbox" }
$MBX | Set-Mailbox -AuditEnabled $true `
-AuditLogAgeLimit 90 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate `
-AuditOwner $AuditOwner

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17682

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: microsoft_azure

Control ID: f1aff90c2886fda0c16f593ed922e82f0393829af9b4cd427668105f2d4986ed