Use mailbox auditing with MS365 services

Introduction

Exchange Onpremise allows you to activate audit on mailboxes usages. The audit can be at the level of changes made by administrators (Admin), at the level of delegate access (Delegate) and at the level of the mailbox owner (Owner).

Exchange Online offers the same type of auditing services, this auditing is enabled by default with a 90-days retention period. To have more than 90 days additional licenses are necessary.

Access to audit logs can be done in several ways:

  • Access through the Exchange Online audit log
  • Access through the audit log of the “Compliance Center” tool
  • Access through “Management Activity” APIs (APIs used by SIEMs)

Verify Exchange Online Audit configuration

Exchange Online mailbox auditing can be verified at the Exchange Online organization level with the Get-OrganizationConfig | fl AuditDisabled PowerShell command.

When auditing is enabled by default it will be “by default” on all mailboxes: user mailsboxes and shared mailboxes.

A bypass on some mailboxes can be configured using the following command:

Set-MailboxAuditBypassAssociation -Identity -AuditByPassEnabled $ true

The Get-MailboxAuditBypassAssociation command allows you to check the status of the audit bypass.

Mailbox auditing is supported on the following mailbox types: https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide

Auditing is enabled by default on each mailbox and the “DefaultAuditSet” property of a mailbox allows you to check which type of access the audit is enabled. By default this property is set to “Admin, Delegate, Owner”.

In this case, the list of audited actions is defined by Microsoft and the “AuditAdmin”, “AuditDelegate” and “AuditOwner” properties are managed by Microsoft.

If any of these three properties is updated to add or delete action type, the management of these properties by Microsoft will be automatically disabled.

It is then possible to reset the default values managed by Microsoft by setting the “DefaultAuditSet” property.

Exchange Online audit tool

The use of auditing with Exchange Online is part of the “Compliance Management” part of the Exchange Admin center tool.

You can view the result of a search in the audit log or export the result of a search.

It is also possible to do this type of search in PowerShell with the Search-MailboxAuditLog command or the New-MailboxAuditLogSearch command which allows you to send the search result by email.

Compliance Center / Defender 365 audit tool

The “Compliance Center” and “Microsoft 365 Defender” tools also provide access to audit logs, but more generally.

To check the status of this unified audit system, use the Get-AdminAuditLogConfig command.

It is then possible to search in this unified audit log via the “Audit” menu of the “Microsoft 365 Defender” tool.

The use of this tool differs from the Exchange Online audit tool in that the audit entries by default only return entries for mailboxes with “E5” licenses as well as MS365 group boxes (teams Teams). To activate the unified log feature for the other mailboxes it is necessary for each mailbox to re-launch a command “set-mailbox -AuditEnabled $true”. See https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide#more-information. This unified audit log can then be searched using the powershell Search-UnifiedAuditLog command.

WebHook and SIEM

Exchange Online audits are available through a SIEM, as well as through Microsoft SIEM (Azure Sentinel https://docs.microsoft.com/en-us/rest/api/securityinsights).

SIEM uses the Microsoft Management Activity API (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference) to subscribe to notifications via WebHook.

To use this API, you must declare an application in Azure AD with certificate or secret authentication. The app will use an oAuth connection to access the API.

Create an app in Azure:

Add API permissions to the application from the “Office 365 Management APIs” catalog:

Add the “ActivityFeedRead” right:

A .NET code simply makes it possible to test the Management Activity API and to visualize what can be integrated into a SIEM.

By specifying the URI of a content you can access the detailed content:

A demo program can be downloaded: https://admin365.fr/download/Test_Siem_net5.0.zip

You must have the .NET 5.0 runtime and modify the SIEM365.dll.config file before you can use it.