CIS.M365.3.1.1 - (L1) Ensure Microsoft 365 audit log search is Enabled
Overview
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.
Rationale
Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights
Remediation action:
- Navigate to Microsoft 365 Purview.
- Select Solutions and then Audit to open the audit search.
- Click blue bar Start recording user and admin activity.
- Click Yes on the dialog box to confirm.
PowerShell
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Related links
- Microsoft 365 Purview
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 149
- Turn auditing on or off
- Set-AdminAuditLogConfig
- Verify the auditing status for your organization
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.3.1.1 |
| Severity | High |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisAuditLogSearch |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.3.1.1, L1 |
Source
- Pester test:
tests/cis/Test-MtCisAuditLogSearch.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisAuditLogSearch.ps1