silverhack
[Bug]: UnifiedAuditLogIngestionEnabled from the exchange-audit-log-search-disabled finding
What happened?
When viewing the o365_secomp_log_config.json output, the setting for UnifiedAuditLogIngestionEnabled shows "false" but if I run the command "Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled" manually, the output shows "True".
How to reproduce it Run the command "Invoke-Monkey365 -PromptBehavior SelectAccount -IncludeEntraId -Instance Microsoft365 -Analysis ExchangeOnline,Microsoft365,MicrosoftTeams,Purview,SharePointOnline -ExportTo JSON" and review the output in the "o365_secomp_log_config.json" output.
Screenshots or Logs
From where are you running Monkey365?
Please, complete the following information:
- Resource: workstation
- OS: Windows
- PowerShell Version [
$PsVersionTable]: 5.1.20348.2227 - Monkey365 Version: v0.91.2-beta
Additional context I do see the error "Unable to export" for the o365_secomp_dlp_sinfo_type.json, when running Invoke-Monkey365, if this is related.
Hi @cmking94,
That's rare, since Monkey365 does nothing with the Get-AdminAuditLogConfig, more than storing the result into a variable. In other words, if the command is returning False for that property (UnifiedAuditLogIngestionEnabled), then that property is disabled. This is because both, Monkey365 and the ExchangeOnline PowerShell module are using the same command. I will investigate that, due that other issues happened in the past, and the origin was an incorrect handling of data caused by the ConvertTo-Json command.
On the other hand, JSON and CSV output will be upgraded soon to a more consolidated output and consistent across all formats, so HTML, JSON,CSV will store the same results. Right now Monkey365 is storing RAW data into JSON/CSV files, and sometimes you can see some exceptions at time of exporting data, due to inconsistent format errors or unparseable data exception.
Hey @cmking94,
I can confirm that it's a bug so thanks for letting me know about that! :D
In Microsoft 365 the auditing is part of Microsoft Purview, as stated here. If you select purview in Monkey365, the tool will redirect all queries to Security & Compliance Endpoint (ps.compliance.protection.outlook.com) and will get the result from Get-AdminAuditLogConfig.
So what's the issue? The issue is that depending on which endpoint is used (outlook.microsoft.com for EXO and ps.compliance... for Sec&Compliance) a different response is returned for the same command (Get-AdminAuditLogConfig).
You can actually check for that by using the official PowerShell modules, as shown below:
This is an easy fix, and for that collector, an special route to Exchange Online endpoint should be used to get effective results.
Many thanks for this @cmking94, it's really appreciated.
This issue has been automatically marked as stale because it has not had recent activity. We kindly ask you to check again if the issue you reported is still relevant in the current version of Monkey 365. If it is, update this issue with a comment, otherwise it will be automatically closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}