Name:O365 Advanced Audit Disabled id:49862dd4-9cb2-4c48-a542-8c8a588d9361 version:3 date:2024-09-30 author:Mauricio Velazco, Michael Haag, Splunk status:production type:TTP Description:The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise. Data_source:
-O365 Change user license.
search:`o365_management_activity` Operation="Change user license." | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails, "NewValue") | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P<DisabledPlans>[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") | stats min(_time) as firstTime max(_time) as lastTime by Operation user object DisabledPlans | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives:Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed. References: -https://attack.mitre.org/techniques/T1562/008/ -https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf -https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Persistence Mechanisms' asset_type:O365 Tenant confidence:80 impact:40 message:Advanced auditing for user $object$ was disabled by $user$ mitre_attack_id: - 'T1562' - 'T1562.008' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:32 required_fields: - '_time' - 'Operation' - 'ExtendedProperties{}.Name' - 'ExtendedProperties{}.Value' - 'user' - 'object' security_domain:identity
