turbot/microsoft365_compliance

Control: 5.1 Ensure Microsoft 365 audit log search is Enabled

Description

When audit log search in the Microsoft 365 Security & Compliance Center is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.

Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes.

Remediation

To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center:

  1. Log in as an administrator.
  2. Navigate to the Office 365 security & compliance center by going to https://protection.office.com.
  3. In the Security & Compliance Center, expand Search then select Audit log search.
  4. Click Start recording user and admin activities next to the information warning at the top.
  5. Click Yes on the dialog box to confirm.

NOTE: Remediation via PowerShell is only supported in on-premises Exchange environments.

Default Value: Disabled.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_5_1 --share

SQL

This control uses a named query:

azuread_audit_log_search_enabled

Tags