Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange AuditLog disabled

Back
Id194dd92e-d6e7-4249-85a5-273350a7f5ce
RulenameExchange AuditLog disabled
DescriptionIdentifies when the exchange audit logging has been disabled which may be an adversary attempt

to evade detection or avoid other defenses.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsOffice365
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml
Version2.0.1
Arm template194dd92e-d6e7-4249-85a5-273350a7f5ce.json
Deploy To Azure
OfficeActivity
| where UserType in~ ("Admin","DcAdmin")
// Only admin or global-admin can disable audit logging
| where Operation =~ "Set-AdminAuditLogConfig"
| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
severity: Medium
queryFrequency: 1d
relevantTechniques:
- T1562
tactics:
- DefenseEvasion
kind: Scheduled
query: |
  OfficeActivity
  | where UserType in~ ("Admin","DcAdmin")
  // Only admin or global-admin can disable audit logging
  | where Operation =~ "Set-AdminAuditLogConfig"
  | extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)
  | where AdminAuditLogEnabledValue =~ "False"
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml
queryPeriod: 1d
status: Available
version: 2.0.1
name: Exchange AuditLog disabled
requiredDataConnectors:
- dataTypes:
  - OfficeActivity
  connectorId: Office365
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
id: 194dd92e-d6e7-4249-85a5-273350a7f5ce
description: |
  'Identifies when the exchange audit logging has been disabled which may be an adversary attempt
  to evade detection or avoid other defenses.'  
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/194dd92e-d6e7-4249-85a5-273350a7f5ce')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/194dd92e-d6e7-4249-85a5-273350a7f5ce')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Exchange AuditLog disabled",
        "description": "'Identifies when the exchange audit logging has been disabled which may be an adversary attempt\nto evade detection or avoid other defenses.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "OfficeActivity\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// Only admin or global-admin can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\"\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "alertRuleTemplateName": "194dd92e-d6e7-4249-85a5-273350a7f5ce",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "templateVersion": "2.0.1",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml"
      }
    }
  ]
}