turbot/microsoft365_compliance

Control: 5.1 Ensure Microsoft 365 audit log search is Enabled

Description

When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.

Enabling Microsoft Purview audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes.

Remediation

To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center:

  1. Log in as an administrator.
  2. Navigate to the Microsoft Purview compliance portal by going to https://compliance.office.com.
  3. Under Solutions, select Audit.
  4. Click Start recording user and admin activity next to the information warning at the top.
  5. Click Yes on the dialog box to confirm.

To enable Microsoft 365 audit log search via Exchange Online PowerShell:

  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Run the following PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Default Value: Disabled.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_5_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_5_1 --share

SQL

This control uses a named query:

azuread_audit_log_search_enabled

Tags