rules/findings/m365/exchange_online/audit/ms-exo-audit-bypass-enabled.json
|
{
"provider": "Microsoft365", "serviceType": "Exchange Online", "serviceName": "Microsoft 365", "displayName": "Ensure \u0027AuditBypassEnabled\u0027 is not enabled on mailboxes", "description": "When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access, or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts. Ensure AuditBypassEnabled is not enabled on accounts without a written exception.", "rationale": "If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions. \r\n\t\tEnabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics.", "impact": "None - this is the default behavior.", "remediation": { "text": null, "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.0.1", "reference": "6.1.3", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_exo_audit_bypass_association", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "AuditBypassEnabled", "eq", "true" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "id": "Id", "Identity": "Identity", "OrganizationalUnitRoot": "OrganizationalUnitRoot", "AuditBypassEnabled": "AuditBypassEnabled" }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { "id": "Id", "Identity": "Identity", "OrganizationalUnitRoot": "OrganizationalUnitRoot", "AuditBypassEnabled": "AuditBypassEnabled" }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure \u0027AuditBypassEnabled\u0027 is not enabled on mailboxes", "defaultMessage": null }, "properties": { "resourceName": "Identity", "resourceId": "Id", "resourceType": "EXOAuditBypass" }, "onlyStatus": false } }, "idSuffix": "m365_exo_audit_bypass_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "Id", "DistinguishedName" ], "id": "microsoft365_2140" } |