Microsoft 365 Unified Audit Logging Disabled

Goal

Detect when unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.

Strategy

Monitor Microsoft 365 audit logs to look for events with an @evt.name value of Set-AdminAuditLogConfig, where @Parameters.UnifiedAuditLogIngestionEnabled is set to False.

Triage and response

  1. Determine if the user {{@usr.email}} intended to disable audit logging.
  2. If {{@usr.email}} is not responsible for disabling the audit logging, investigate {{@usr.email}} for anomalous activity. If necessary, initiate your company’s incident response (IR) process.

Changelog

  • 6 January 2023 - Updated rule name and case.