Managed Sentinel – Alert 123
| Alert ID | MS-A123 |
| Alert Name | Exchange Audit Log Disabled |
| Description | Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses. |
| Severity Level | Medium |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Defense Evasion |
| Log sources | Office Activity |
| False Positive | Service accounts related changes |
| Recommendations | 1. If change is not correlated with an approved internal events - subject to corporate change management policy, reverse the change in Windows. 2. Review activity logs in Office365 via Azure Sentinel console and identify any abnormal activities to within the time when the change was done. |