Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Policy question: Does Defender policy 6.2 need updates since Microsoft changed their default logging events for standard license holders? #1416

Open
tkol2022 opened this issue Nov 12, 2024 · 0 comments
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality hands-on-prototyping Reviewing an M365 feature by performing hands-on prototyping

Comments

@tkol2022
Copy link
Collaborator

💡 Summary

This is a policy enhancement proposal that can be voted on by the team due to changes in Microsoft's logging by license level that impact Defender policy 6.2 (audit premium license for all users). It also requires some hands-on investigation to determine how the current state of Microsoft's logging system behaves w/r/t to the log events that were previously only captured by the audit premium license but are now captured by audit standard.

Since Microsoft has now added numerous log events required by OMB to the Audit Standard license (including MailItemsAccessed, Send, SearchQueryInitiatedExchange, SearchQueryInitiatedSharepoint) is Scuba policy 6.2 still a requirement to add Audit Premium licenses to individual users? Those events were previously only available with the premium license but that isn't the case anymore.

Maybe instead we modify policy 6.2 to be about having the Audit Premium but at the organization level and not enabled for individual users? The key benefits of Audit Premium at the organization level are longer audit log retention, audit log retention policies and intelligent insights. That said, having a longer audit log retention seems like a good thing at face value, but many agencies will be offloading their logs to a SIEM which is where the log retention matters to those orgs so having longer retention in M365 only benefits smaller orgs that don’t offload their logs. Therefore maybe we change policy 6.2 to be about having Audit Premium at the organization level and make it a SHOULD policy since it doesn’t apply to everyone?

https://www.microsoft.com/en-us/security/blog/2023/10/18/expanding-audit-logging-and-retention-within-microsoft-purview-for-increased-security-visibility

https://learn.microsoft.com/en-us/purview/audit-solutions-overview#audit-premium

Motivation and context

Scuba policies should be aligned with Microsoft's changes and we should update policies that are no longer applicable as currently designed.

@tkol2022 tkol2022 added baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality hands-on-prototyping Reviewing an M365 feature by performing hands-on prototyping labels Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
baseline-document Issues relating to the text in the baseline documents themselves enhancement This issue or pull request will add new or improve existing functionality hands-on-prototyping Reviewing an M365 feature by performing hands-on prototyping
Projects
None yet
Development

No branches or pull requests

1 participant