Managed Sentinel – Alert 123

Alert IDMS-A123
Alert NameExchange Audit Log Disabled
DescriptionIdentifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.
Severity LevelMedium
Threat IndicatorRoot Access
MITRE ATT&CK TacticsDefense Evasion
Log sourcesOffice Activity
False PositiveService accounts related changes
Recommendations1. If change is not correlated with an approved internal events - subject to corporate change management policy, reverse the change in Windows.
2. Review activity logs in Office365 via Azure Sentinel console and identify any abnormal activities to within the time when the change was done.