💼 Management Samenvatting
Schakel organisatiebrede mailbox auditing in om alle mailbox acties (lezen, verwijderen, forwarden, machtigingen changes) te loggen voor compliance en forensics.
Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
9/10
Implementatie
3u (tech: 1u)
Van toepassing op:
✓ Exchange Online
✓ M365
✓ M365
Mailbox auditing is ESSENTIEEL voor: (1) Compliance - BIO vereist 7 jaar audit logs, regulatory requirements (HIPAA, SOX) vereisen email audittrails, (2) beveiligingsincidenten - Bij compromise: wie heeft welke emails gelezen? Forwarding rules gecreëerd? Attachments gedownload?, (3) Insider threats - Detectie van data exfiltration via email (mass exports, suspicious forwards), (4) eDiscovery - Legal hold en investigation vereisen complete audittrails. Zonder mailbox auditing: compliance schendingen (geen audittrail is automatische BIO/ISO failure), beveiligingsincidenten blijven undetected (mailbox compromises invisible), Forensics impossible (wat deed attacker in mailbox?), Legal liability (cannot bieden audit bewijs voor litigation).
PowerShell Modules Vereist
Primary API: Exchange Online
Connection:
Required Modules: ExchangeOnlineManagement
Connection:
Connect-ExchangeOnlineRequired Modules: ExchangeOnlineManagement
Implementatie
Set-OrganizationConfig -AuditDisabled $false. Dit ingeschakeld auditing voor ALLE mailboxes (automatic, geen per-mailbox configuration nodig). Audit events: Owner actions (email send, delete, move), Delegeer actions (send-as, send-on-behalf), Admin actions (mailbox access, machtiging changes). Retention: 90 dagen Standaard (export naar Sentinel voor 7-jaar retention per BIO).
- PowerShell: Set-OrganizationConfig -AuditDisabled $false
- Verify: Get-OrganizationConfig | Select AuditDisabled (moet False zijn)
- Export naar Sentinel: Configureer Exchange Online connector in Sentinel voor 7-jaar retention
Vereisten
- Exchange Online subscription
- Globale beheerder rechtenistrator of Exchange Administrator rol
- Azure Sentinel voor long-term retention (90 dagen Standaard insufficient voor BIO 7 jaar)
- opslag capacity planning voor audit logs
Implementatie
Gebruik PowerShell-script audit-disabled-false.ps1 (functie Invoke-Remediation) – Schakel organisatiebrede mailbox auditing in.
- PowerShell: Set-OrganizationConfig -AuditDisabled $false
- Verify: Get-OrganizationConfig | Select AuditDisabled (moet False zijn)
- Export naar Sentinel: Configureer Exchange Online connector in Sentinel voor 7-jaar retention
Monitoring
Gebruik PowerShell-script audit-disabled-false.ps1 (functie Invoke-Monitoring) – Controleren.
- Verify: AuditDisabled is False
- Controleer audit loggen availability: Search-UnifiedAuditLog
- Monitor audit loggen volume (growing is good)
- Sentinel ingestion rate voor Exchange audit logs
Compliance en Auditing
- CIS M365 - Mailbox auditing
- BIO 12.04 - Logging (7 jaar bewaarplicht)
- ISO 27001 A.12.4.1 - Gebeurtenissen logging en audittrails
- AVG - audittrails voor accountability
Remediatie
Gebruik PowerShell-script audit-disabled-false.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- BIO: 12.04.01 - audit logging - mailbox actions
- ISO 27001:2022: A.12.4.1 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Mailbox Auditing Enabled (Audit Disabled = False)
.DESCRIPTION
Ensures organization-wide mailbox auditing is enabled
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Auditing Enabled" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$orgConfig = Get-OrganizationConfig -ErrorAction Stop
$isAuditDisabled = $orgConfig.AuditDisabled
$isCompliant = ($isAuditDisabled -eq $false)
Write-Host " Organization Auditing: $(if($isCompliant){'ENABLED'}else{'DISABLED'})" -ForegroundColor $(
if ($isCompliant) { 'Green' }else { 'Red' }
)
Write-Host "`n Audit Coverage:" -ForegroundColor Cyan
Write-Host " • All mailboxes automatically audited" -ForegroundColor Gray
Write-Host " • Owner, delegate, admin actions tracked" -ForegroundColor Gray
Write-Host " • 90-day retention (default)" -ForegroundColor Gray
if ($isCompliant) {
Write-Host "`n[OK] COMPLIANT - Auditing enabled" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Auditing DISABLED!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$orgConfig = Get-OrganizationConfig
if ($orgConfig.AuditDisabled -eq $false) {
Write-Host " [OK] Auditing already enabled" -ForegroundColor Green
exit 0
}
Set-OrganizationConfig -AuditDisabled $false -ErrorAction Stop
Write-Host "`n[OK] Organization-wide auditing enabled" -ForegroundColor Green
Write-Host "All mailboxes will be audited automatically" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Set-OrganizationConfig -AuditDisabled $true -ErrorAction Stop
Write-Host " ⚠️ Auditing disabled - no mailbox actions tracked!" -ForegroundColor Yellow
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Revert) { Invoke-Revert }
elseif ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
Critical: KRITIEK compliance en security risk. Zonder mailbox auditing: BIO 7-jaar logging requirement NIET voldaan is automatische compliance failure, beveiligingsincidenten undetected (mailbox compromises invisible), Forensics impossible, Legal liability (geen audit bewijs).
Management Samenvatting
CRITICAL: Schakel in mailbox auditing (AuditDisabled is False). logt ALLE mailbox acties. Export naar Sentinel voor 7-jaar BIO compliance. Implementatie: 1-3 uur.
- Implementatietijd: 3 uur
- FTE required: 0.02 FTE