Control: 3.1.1 Ensure Microsoft 365 audit log search is Enabled
Description
When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Purviewhttps://compliance.microsoft.com. - Select
Solutionsand thenAuditto open the audit search. - Click blue bar
Start recording user and admin activity. - Click
Yeson the dialog box to confirm.
To remediate using PowerShell:
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Default Value
180 days
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_3_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_3_1_1 --shareSQL
This control uses a named query:
with audit_count as ( select tenant_id, count(id) from azuread_directory_audit_report group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select t.tenant_id as resource, case when a.count > 0 then 'ok' else 'alarm' end as status, case when a.count > 0 then t.tenant_id || ' has audit log search enabled.' else t.tenant_id || ' has audit log search disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t left join audit_count as a on t.tenant_id = a.tenant_id;