LoFP LoFP / administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.

Techniques

Sample rules

O365 Advanced Audit Disabled

Description

The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user’s mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.

Detection logic

`o365_management_activity` Operation="Change user license."  
| eval property_name = mvindex ('ExtendedProperties{}.Name', 1) 
| search property_name = "extendedAuditEventCategory" 
| eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) 
| eval split_value=split(additionalDetails, "NewValue") 
| eval possible_plan=mvindex(split_value, 1)  
| rex field="possible_plan" "DisabledPlans=\[(?P<DisabledPlans>[^\]]+)\]" 
| search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") 
| stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `o365_advanced_audit_disabled_filter`