CISA.MS.EXO.17.1 - Microsoft Purview Audit (Standard) logging SHALL be enabled.
Overviewβ
Microsoft Purview Audit (Standard) logging SHALL be enabled.
Rationale: Responding to incidents without detailed information about activities that took place slows response actions. Enabling Microsoft Purview Audit (Standard) helps ensure agencies have visibility into user actions. Furthermore, Microsoft Purview Audit (Standard) is required for government agencies by OMB M-21-31 (referred to therein by its former name, Unified Audit Logs).
Remediation action:β
To enable auditing via the Microsoft Purview compliance portal:
- Sign in to the Microsoft Purview compliance portal.
- Under Solutions, select Audit.
- If auditing is not enabled, a banner is displayed to notify the administrator to start recording user and admin activity.
- Click the Start recording user and admin activity.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.17.1 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAuditLog |
| Tags | CISA, CISA.MS.EXO.17.1, MS.EXO, MS.EXO.17.1 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaAuditLog.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAuditLog.ps1