CISA.MS.EXO.13.1 - Mailbox auditing SHALL be enabled.
Overview
Mailbox auditing SHALL be enabled.
Rationale: Exchange Online user accounts can be compromised or misused. Enabling mailbox auditing provides a valuable source of information to detect and respond to mailbox misuse.
Remediation action:
Mailbox auditing can be managed from the Exchange Online PowerShell module. Follow the instructions listed on Manage mailbox auditing in Office 365.
- To enable mailbox auditing by default for your organization via PowerShell:
- Connect to the Exchange Online PowerShell.
- Run the following command:
Set-OrganizationConfig –AuditDisabled $false
Related links
- Microsoft Learn - Mailbox Auditing
- CISA 13 Mailbox Auditing - MS.EXO.13.1v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.13.1 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaMailboxAuditing |
| Tags | CISA, CISA.MS.EXO.13.1, MS.EXO, MS.EXO.13.1 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaMailboxAuditing.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaMailboxAuditing.ps1