Rec: 6.1.3 - Validate Test-MailboxAuditingE5.ps1, ELevel: E5, ProfileLevel: L1, IG1: TRUE, IG2: TRUE, IG3: TRUE, Connection: AzureAD | EXO | Microsoft Graph

[DrIOSX]

Validation for Test-MailboxAuditingE5.ps1

Recommendation Details

• Recommendation: 6.1.3
• Description: Ensure mailbox auditing for Office E5 users is Enabled
• ELevel: E5
• Profile Level: L1
• CIS Control: 8.2
• CIS Description: Collect audit logs.
• Implementation Group 1: TRUE
• Implementation Group 2: TRUE
• Implementation Group 3: TRUE
• Automated: TRUE
• Connection: AzureAD | EXO | Microsoft Graph

Test-MailboxAuditingE5.ps1

Tasks

Validate recommendation details

• [ ] Confirm that the recommendation details are accurate and complete as per the CIS benchmark.

Validate test for a pass

• [ ] Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
  • Specific conditions to check:
  • Condition A: Mailbox auditing is enabled for E5 users.
  • Condition B: AuditAdmin actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
  • Condition C: AuditDelegate actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
  • Condition D: AuditOwner actions include ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.

Validate test for a fail

• [ ] Confirm that the failure conditions in the automated test are consistent with the manual audit results.
  • Specific conditions to check:
  • Condition A: Mailbox auditing is not enabled for E5 users.
  • Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
  • Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
  • Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.

Add notes and observations

• [ ] Compare the automated audit results with the manual audit steps and provide detailed observations.
  • Automated audit produced info consistent with the manual audit test results? (Yes/No)
  • Without disclosing any sensitive information, document any discrepancies between the actual output and the expected output.
  • Document any error messages, removing any sensitive information before submitting.
  • Identify the specific function, line, or section of the script that failed, if known.
  • Provide any additional context or observations that might help in troubleshooting.

If needed, the helpers folder in .\source\helpers contains a CSV to assist with locating the test definition.

[DrIOSX]

Base PowerShell Audit:

$MailAudit = Get-EXOMailbox -PropertySets Audit -ResultSize Unlimited | Select-Object UserPrincipalName, AuditEnabled, AuditAdmin, AuditDelegate, AuditOwner $MailAudit | Export-Csv -Path C:\CIS\AuditSettings.csv -NoTypeInformation

[DrIOSX]

Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only.