GSA Enriched Office 365 - Exchange AuditLog Disabled
| Id | dc451755-8ab3-4059-b805-e454c45d1d44 |
| Rulename | GSA Enriched Office 365 - Exchange AuditLog Disabled |
| Description | Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses. |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1562 |
| Required data connectors | AzureActiveDirectory Office365 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml |
| Version | 2.0.8 |
| Arm template | dc451755-8ab3-4059-b805-e454c45d1d44.json |
// OfficeActivity Query
let OfficeEvents = OfficeActivity
| where OfficeWorkload =~ "Exchange"
| where UserType in~ ("Admin", "DcAdmin")
// Only admin or global-admin can disable audit logging
| where Operation =~ "Set-AdminAuditLogConfig"
| extend ParsedParameters = parse_json(Parameters)
| extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]),
iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), UserId))
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '');
// EnrichedMicrosoft365AuditLogs Query
let EnrichedEvents = EnrichedMicrosoft365AuditLogs
| where Workload =~ "Exchange"
| where UserType in~ ("Admin", "DcAdmin")
| where Operation =~ "Set-AdminAuditLogConfig"
| extend ParsedParameters = parse_json(AdditionalProperties.Parameters)
| extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
by Operation, UserType, UserId, ClientIP = SourceIp, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters), AdminAuditLogEnabledValue
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]),
iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), UserId))
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '');
// Combine Office and Enriched Events and Deduplicate
let CombinedEvents = OfficeEvents
| union EnrichedEvents
| summarize arg_min(StartTimeUtc, *) by Operation, UserId, ClientIP;
// Project Final Output
CombinedEvents
| project StartTimeUtc, EndTimeUtc, Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue, AccountName, AccountUPNSuffix, AccountNTDomain
relevantTechniques:
- T1562
name: GSA Enriched Office 365 - Exchange AuditLog Disabled
requiredDataConnectors:
- dataTypes:
- EnrichedMicrosoft365AuditLogs
connectorId: AzureActiveDirectory
- dataTypes:
- OfficeActivity (Exchange)
connectorId: Office365
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ClientIP
entityType: IP
triggerThreshold: 0
id: dc451755-8ab3-4059-b805-e454c45d1d44
tactics:
- DefenseEvasion
version: 2.0.8
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1d
severity: Medium
status: Available
description: |
Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses.
query: |
// OfficeActivity Query
let OfficeEvents = OfficeActivity
| where OfficeWorkload =~ "Exchange"
| where UserType in~ ("Admin", "DcAdmin")
// Only admin or global-admin can disable audit logging
| where Operation =~ "Set-AdminAuditLogConfig"
| extend ParsedParameters = parse_json(Parameters)
| extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]),
iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), UserId))
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '');
// EnrichedMicrosoft365AuditLogs Query
let EnrichedEvents = EnrichedMicrosoft365AuditLogs
| where Workload =~ "Exchange"
| where UserType in~ ("Admin", "DcAdmin")
| where Operation =~ "Set-AdminAuditLogConfig"
| extend ParsedParameters = parse_json(AdditionalProperties.Parameters)
| extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
by Operation, UserType, UserId, ClientIP = SourceIp, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters), AdminAuditLogEnabledValue
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]),
iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), UserId))
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '');
// Combine Office and Enriched Events and Deduplicate
let CombinedEvents = OfficeEvents
| union EnrichedEvents
| summarize arg_min(StartTimeUtc, *) by Operation, UserId, ClientIP;
// Project Final Output
CombinedEvents
| project StartTimeUtc, EndTimeUtc, Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue, AccountName, AccountUPNSuffix, AccountNTDomain
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc451755-8ab3-4059-b805-e454c45d1d44')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc451755-8ab3-4059-b805-e454c45d1d44')]",
"properties": {
"alertRuleTemplateName": "dc451755-8ab3-4059-b805-e454c45d1d44",
"customDetails": null,
"description": "Identifies when the Exchange audit logging has been disabled, which may indicate an adversary attempt to evade detection or bypass other defenses.\n",
"displayName": "GSA Enriched Office 365 - Exchange AuditLog Disabled",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserId",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ClientIP",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml",
"query": "// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n | where OfficeWorkload =~ \"Exchange\" \n | where UserType in~ (\"Admin\", \"DcAdmin\")\n // Only admin or global-admin can disable audit logging\n | where Operation =~ \"Set-AdminAuditLogConfig\"\n | extend ParsedParameters = parse_json(Parameters)\n | extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)\n | where AdminAuditLogEnabledValue =~ \"False\"\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \n by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n | extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), \n iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[1]), UserId))\n | extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')\n | extend AccountNTDomain = iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[0]), '');\n// EnrichedMicrosoft365AuditLogs Query\nlet EnrichedEvents = EnrichedMicrosoft365AuditLogs\n | where Workload =~ \"Exchange\"\n | where UserType in~ (\"Admin\", \"DcAdmin\")\n | where Operation =~ \"Set-AdminAuditLogConfig\"\n | extend ParsedParameters = parse_json(AdditionalProperties.Parameters)\n | extend AdminAuditLogEnabledValue = tostring(ParsedParameters[3].Value)\n | where AdminAuditLogEnabledValue =~ \"False\"\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() \n by Operation, UserType, UserId, ClientIP = SourceIp, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters), AdminAuditLogEnabledValue\n | extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), \n iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[1]), UserId))\n | extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')\n | extend AccountNTDomain = iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[0]), '');\n// Combine Office and Enriched Events and Deduplicate\nlet CombinedEvents = OfficeEvents\n | union EnrichedEvents\n | summarize arg_min(StartTimeUtc, *) by Operation, UserId, ClientIP;\n// Project Final Output\nCombinedEvents\n | project StartTimeUtc, EndTimeUtc, Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue, AccountName, AccountUPNSuffix, AccountNTDomain\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1562"
],
"templateVersion": "2.0.8",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}