Exchange Online Mailbox Audit Enhancements due Storm-0558
Hi All,
A few days ago, Microsoft has released an Article on the Techcommunity about the new Standard Logs in Purview audit
Back in June 2023 there where many Informations about Microsoft has been hacked by Storm-0558
-
Analysis of Storm-0558 techniques for unauthorized email access
-
Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email
-
Results of Major Technical Investigations for Storm-0558 Key Acquisition
As a Result of these Events, Microsoft has anounced to give some E5 Features like Microsoft Purview Audit (Premium) to all Customers and increasing the default retention period for Audit Standard customers from 90 days to 180 days.
Basics
Let’s take a deeper look at Exchange Online Auditing
- Microsoft Learn Manage mailbox auditing
Mailbox Auditing is only supported on these Mailbox Types
- User mailboxes
- Shared mailboxes
- Microsoft 365 Group mailboxes
These Features are E5 Features that can now also used for Auditing without the E5 License
- MailItemsAccessed
- SearchQueryInitiated
- Send
Checking Auditlog Configuration
Make sure AuditLog is enabled
Connect-ExchangeOnline -ShowBanner:$false
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
Get-OrganizationConfig | Format-List AuditDisabled
Audit Settings before the Change
These Settings have been documented on my Tenant on 15.10.2023
Get-Mailbox m.muster@icewolf.ch | fl *audit*
Expand the Operations for AuditAdmin
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditAdmin
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
ApplyRecord
Expand the Operations for AuditDelegate
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditDelegate
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules
ApplyRecord
Expand the Operations for AuditOwner
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
ApplyRecord
I was not able to add the Operations back then
Set-Mailbox m.muster@icewolf.ch -AuditOwner @{Add="Send","MailItemsAccessed"}
Audit Settings after the Change
Get-Mailbox m.muster@icewolf.ch | fl *audit*
Expand the Operations for AuditAdmin
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditAdmin
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
ApplyRecord
MailItemsAccessed (NEW)
Send (NEW)
Expand the Operations for AuditDelegate
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditDelegate
Update
MoveToDeletedItems
SoftDelete
HardDelete
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
UpdateInboxRules
ApplyRecord
MailItemsAccessed (NEW)
Expand the Operations for AuditOwner
Get-Mailbox m.muster@icewolf.ch | select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
ApplyRecord
MailItemsAccessed (NEW)
Send (NEW)
Adding the searchqueryinitiated to the logged Operations for the AuditOwner. You can see that the AuditOwner does not use the Default’s anymore, because we added an operation.
Set-Mailbox m.muster@icewolf.ch -AuditOwner @{Add="searchqueryinitiated"}
Get-Mailbox m.muster@icewolf.ch | fl *audit*
Set it back to the Defaults from Microsoft
Set-Mailbox -Identity m.muster@icewolf.ch -DefaultAuditSet Admin,Delegate,Owner
Audit Log search
Let’s use the Purview Audit Log Search
I’ve searched in the last two Months for the RecordType “ExchangeItemAggregated”
The Search took about 7 Minutes and found 3467 Records
It takes a while, but once all Records are loaded. The oldest log i found for “MailItemsAccessed” was on 24 April 2024
Let’s use the Search-UnifiedAuditLog Command to search the AuditLog for the “MailItemsAccessed” Operation
$SessionID = "DemoSearch_" + (Get-Date -Format "yyyyMMdd_HHmm")
$AuditRecords = @()
$AuditRecords = Search-UnifiedAuditLog -Operations MailItemsAccessed -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(-20) -ResultSize 5000 -Formatted -SessionCommand ReturnLargeSet -SessionID $SessionID
$AuditRecords.Count
Make the Records Unique and show the first Record in the Array. As you can see the AuditData is in JSON Format
$Records = $AuditRecords | Sort-Object Identity -Unique
$Records.count
$Records[0]
You need to Convert the AuditData from JSON
$Records[0].AuditData | ConvertFrom-Json
Let’s do that for all Records and find the oldest Records. Same Result: The oldest log i found for “MailItemsAccessed” was on 24 April 2024
$ConvertedRecords = $Records.AuditData | ConvertFrom-Json
$ConvertedRecords.CreationTime | Sort-Object | Select-Object -First 20
Summary
It took much longer than i expected until this advanced AuditLog is finally available. The good thing is, i didn’t have to do anything. Microsoft just enabled the new Defauls about a Month ago.
Regards
Andres Bohren
Exchange Logo
