CISA.MS.EXO.17.2 - Microsoft Purview Audit (Premium) logging SHALL be enabled.
Overviewβ
This is no longer applicable, and is deprecated by CISA. The content below is retained as a historical archive and will be removed in a future version.
Microsoft Purview Audit (Premium) logging SHALL be enabled.
Rationale: Standard logging may not include relevant details necessary for visibility into user actions during an incident. Enabling Microsoft Purview Audit (Premium) captures additional event types not included with Standard. Furthermore, it is required for government agencies by OMB M-21-13 (referred to therein by its former name, Unified Audit Logs w/Advanced Features).
Remediation action:β
To set up Microsoft Purview Audit (Premium), see Set up Microsoft Purview Audit (Premium) | Microsoft Learn.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.17.2 |
| Severity | Medium |
| Suite | CISA |
| Category | Deprecated |
| PowerShell test | Test-MtCisaAuditLogPremium |
| Tags | CISA, CISA.MS.EXO.17.2, Deprecated, MS.EXO, MS.EXO.17.2 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaAuditLogPremium.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAuditLogPremium.ps1