Exchange audit log disabled

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Threat Module
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
Severity	Low

A user disabled the Exchange audit log. This may indicate an attempt to evade detection.

An attacker is attempting to evade detection.

Follow further actions done by the account.
Verify that the configuration change was expected.
Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).