Microsoft 365 mailbox audit logging bypass
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user configures a mailbox audit logging bypass.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for the operation Set-MailboxAuditBypassAssociation
. When this operation is configured, no activity is logged, such as a user or account accessing or taking other actions in a mailbox. Attackers may configure this setting to evade existing defenses.
Triage and response
- Inspect the
@Parameters.Identity
attribute to determine which user or account will bypass mailbox audit logging. - Determine if there is a legitimate use case for the mailbox audit bypass by contacting the user
{{@usr.email}}
. - If
{{@usr.email}}
is not aware of the mailbox audit bypass:- Investigate other activities performed by the user
{{@usr.email}}
and @Parameters.Identity
using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
Changelog
- 17 August 2023 - Updated query to replace attribute
@threat_intel.results.subcategory:tor
with @threat_intel.results.category:tor
.