Microsoft 365 Unified Audit Logging Disabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.
Strategy
Monitor Microsoft 365 audit logs to look for events with an @evt.name value of Set-AdminAuditLogConfig, where @Parameters.UnifiedAuditLogIngestionEnabled is set to False.
Triage and response
- Determine if the user
{{@usr.email}} intended to disable audit logging. - If
{{@usr.email}} is not responsible for disabling the audit logging, investigate {{@usr.email}} for anomalous activity. If necessary, initiate your company’s incident response (IR) process.
Changelog
- 6 January 2023 - Updated rule name and case.
