Detections
Analytics

6.1.3 Ensure mailbox auditing for E5 users is Enabled

Information

Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log.

Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.

The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults.

Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only.

Rationale:

Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities.

The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data.

Resource Mailboxes

Public Folder Mailboxes

DiscoverySearch Mailbox

NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

Impact:

None - this is the default behavior.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To enable mailbox auditing for all user mailboxes using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following PowerShell script:

$AuditAdmin = @(
 'ApplyRecord', 'Copy', 'Create', 'FolderBind', 'HardDelete',
 'MailItemsAccessed', 'Move', 'MoveToDeletedItems', 'SendAs',
 'SendOnBehalf', 'Send', 'SoftDelete', 'Update', 'UpdateCalendarDelegation',
 'UpdateFolderPermissions', 'UpdateInboxRules'
)

$AuditDelegate = @(
 'ApplyRecord', 'Create', 'FolderBind', 'HardDelete', 'Move',
 'MailItemsAccessed', 'MoveToDeletedItems', 'SendAs', 'SendOnBehalf',
 'SoftDelete', 'Update', 'UpdateFolderPermissions', 'UpdateInboxRules'
)

$AuditOwner = @(
 'ApplyRecord', 'Create', 'HardDelete', 'MailboxLogin', 'Move',
 'MailItemsAccessed', 'MoveToDeletedItems', 'Send', 'SoftDelete', 'Update',
 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules'
)

$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq 'UserMailbox' }
$MBX | Set-Mailbox -AuditEnabled $true '
-AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate '
-AuditOwner $AuditOwner

Note: When running this script mailboxes without an E5 or Azure Audit Premium license applied will generate an error as they are not licensed for the additional actions which come default with E5.

Default Value:

AuditEnabled: True for all mailboxes except below:

Resource Mailboxes

Public Folder Mailboxes

DiscoverySearch Mailbox

AuditAdmin: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules

AuditDelegate: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules

AuditOwner: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: microsoft_azure

Control ID: 811b84f7c5d9c71ccd48d4ff5c979e3cdf0fa2c2ab3622fc6336c712fdc6bc8b