🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
4Dashboards
80Benchmarks
21Queries
2Variables
GitHub

Control: 3.1.1 Ensure Microsoft 365 audit log search is Enabled

Description

When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.

Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.

Remediation

To enable Microsoft 365 audit log search:

  1. Navigate to Microsoft Purview https://compliance.microsoft.com.
  2. Select Audit to open the audit search.
  3. Click Start recording user and admin activity next to the information warning at the top.
  4. Click Yes on the dialog box to confirm.

To enable Microsoft 365 audit log search using PowerShell:

  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Run the following PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_3_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_3_1_1 --share

SQL

This control uses a named query:

with audit_count as (
  select
    tenant_id,
    count(id)
  from
    azuread_directory_audit_report
  group by
    tenant_id
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when a.count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when a.count > 0 then t.tenant_id || ' has audit log search enabled.'
    else t.tenant_id || ' has audit log search disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join audit_count as a on t.tenant_id = a.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 3.1.1
cis_level = 1
cis_section_id = 3.1
cis_type = automated
cis_version = v3.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory