Investigate enabling audit for additional SharePoint & Exchange actions

[Sloane4]

💡 Summary

Direct the user to enable 2 audit events through admin power shell to enable specific ability for Incident Response. https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-premium-setup?view=o365-worldwide#step-2-enable-audit-premium-events Note: Due to changes in auditing from Microsoft, these two events no longer require Audit Premium and are available, but not enabled by default, under Audit Standard. Checking these events does require doing per user checks which may impact assessment performance for large tenants (read: slow assessments).

Motivation and context

Per the M365 Enhanced Cloud Logs Implementation Playbook, updates to M365 auditing made two previously premium audit actions available as part of standard (SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint). These actions are logged when users perform searches in Exchange Online and SharePoint Online. These audit events are not part of the default user audit policy, but can be enabled on a per user basis. Once enabled you can search the audit log for Audit events and other activities during forensic investigations of compromised accounts and other types of security or compliance investigations.

Implementation notes

• Review performance of per user audit checks
• Suggest new policy to Exchange baseline
• Suggest new policy to SharePoint baseline
• Update unit test cases for new checks

Acceptance criteria

• [ ] Updated policy has the change noted in implementation notes
• [ ] All unit test cases pass

[schrolla]

This appears to largely be a duplicate of #88 . Suggest reconciling and possibly closing this as a duplicate.

[Sloane4]

I argue that this issue is dependent on the decision of #88. The previous issue asks if we should & the creation of an appropriate policy (should vs shall). While this issue focuses more on what to do if we add advanced audit logs (i.e. updating the baseline, code, testing). I would agree that this issue can be updated to better reflect that, but I see them as distinct issues.

[schrolla]

@Sloane4 @buidav Dependent issue #88 has been updated and unblocked based on direction from CISA to include the new audit items as a SHOULD. At this point, likely leave finding a way to automate the check as a new issue in the backlog unless the implementation is known and trivial, but EXO and Sharepoint policies likely do need to be updated to note the inclusion of the new audit items which requires creation of a new custom audit policy that includes the default advanced audit items as well as the new SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint audit items.

I argue that this issue is dependent on the decision of #88. The previous issue asks if we should & the creation of an appropriate policy (should vs shall). While this issue focuses more on what to do if we add advanced audit logs (i.e. updating the baseline, code, testing). I would agree that this issue can be updated to better reflect that, but I see them as distinct issues.

[tkol2022]

@Sloane4 @buidav Can you please test the instructions you hyperlinked above to add the SearchQueryInitiatedSharePoint and SearchQueryInitiatedExchange audit event against a couple of our tenants that have the required license and then share your results here?

I'd like to make sure:

1. We flush out any nuances to the policy language.
2. We record the dependencies for these events to work. For example, it seems like a tenant user must have the MS 365 Advanced Auditing license turned on before an Administrator can enable the SearchQueryInitiated events noted above (see screenshot below)
3. We record the steps needed for an Administrator to enable these events.

Also, I have a question for you: I think it would make sense to write a single version of this policy and then use the same language across the EXO and Sharepoint/OneDrive baselines since the only difference between the two is the audit event being configured. In other words we want consistency in the policy language. Do you agree?

[tkol2022]

@schrolla @ahuynhMITRE Noting this issue as a potential candidate for deferral to Flipper if necessary. This is given that the result of this issue may spark a baseline policy addition to a couple of baselines and where we are right now with the status of the baseline reviews.

[schrolla]

Concur, also because I'm wondering with the overall Microsoft changes taking place that the need for advanced audit licensing AND need to enable via powershell may go away in future service iterations. So wait and see seems like a reasonable approach here.

[Sloane4]

Moved to blocked as we are taking a wait & see approach for Microsoft's changes to the advanced auditing licensing

[tkol2022]

Kindly update this issue to state specifically what is blocking it and an estimated unblock date. If we are unsure when it will become unblocked, I would consider removing it from Glacier or assigning a cutoff date after which it will be pushed to the next release.

[schrolla]

Due to technical complexity of this issue, I'm going to move to Halibut but remove the "blocked" tag as we have more details now on the audit changes coming up.

[ahuynhMITRE]

@twneale is this issue still expect to have baseline changes and if yes what is the expected date to have these changes into a PR and reviewed?

[schrolla]

Further updates to the base issue to note that Premium is no longer required for these audit actions to be logged and note the need for per user assessment checks to properly assess. Part of this is dependent on other audit investigations and work on going in #1072. Issue will be backlogged until that work is complete.

[schrolla]

Waiting on finalization of per user automated check capability resolution before working.