L1 BIO 12.04.01 ISO A.12.4.1 CIS 2.1.x

Quick Start: Audit Logging - Week 3

📅 2025-10-30
⏱️ 8 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

audit logging is essentieel voor security investigations, compliance vereisten en forensische analyse. Deze quick start ingeschakeld binnen 1 dag comprehensive logging voor M365, Azure AD en Exchange Online met 90-365 dagen retention.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
6u (tech: 4u)
Van toepassing op:
M365
Azure AD
Exchange Online

Zonder audit logging: beveiligingsincidenten kunnen niet worden geïnvestigeerd (no evidence trail), compliance schendingen (BIO, NIS2, AVG vereisen logging), forensische analyse onmogelijk na breach, insider threats ondetecteerbaar, en data exfiltration blijft onopgemerkt. Audit logt zijn VERPLICHT voor: AVG Artikel 32 (logging capabilities), NIS2 Artikel 21 (incident detectie), BIO Thema 12.04 (gebeurtenisregistratie), ISO 27001:2022 A.12.4.1 (Gebeurtenissen logging en audittrails), en e-discovery bij legal hold scenarios. Microsoft 365 biedt comprehensive logging maar moet expliciet ingeschakeld en geconfigureerd zijn voor adequate retention.

PowerShell Modules Vereist
Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Deze quick start configureert drie logging layers binnen 1 dag: (1) Unified Audit loggen (M365-wide): User activities, admin operations, compliance events, 90-day retention Standaard (E3), 1-year met E5, Schakel in via Compliance portal, (2) Mailbox audit logging (Exchange): Owner/delegate/admin actions, Email access tracking, Auto-ingeschakeld maar Verifieer not disabled, 90-day retention, en (3) Azure AD Sign-in Logs: Authentication events, voorwaardelijke toegang decisions, Risky sign-ins, MFA events, 30-day retention (P1), 30-day (P2). Optioneel: Export naar Azure opslag (long-term) of Microsoft Sentinel (SIEM) voor centralized loggen management en geavanceerd analytics. Implementation is mostly verification (auto-ingeschakeld) plus retention configuration.

Vereisten

  1. Microsoft 365 E3/E5 licentie
  2. Compliance Administrator of Globale beheerder rechtenistrator rol
  3. Azure AD Premium P1/P2 voor sign-in logs
  4. opslagaccount voor loggen export (optioneel, long-term retention)
  5. Microsoft Sentinel workspace (optioneel, SIEM)
  6. Audit loggen toegangsmachtigingen voor security team

Implementatie (1 dag - 4 uur)

Gebruik PowerShell-script 06-audit-logging.ps1 (functie Invoke-Implementation) – Implementeren.

STAP 1: Unified Audit loggen (2 uur)

  1. Purview compliance portal → Audit
  2. Verify: Audit loggen search ingeschakeld (Standaard op sinds 2023)
  3. If disabled: Turn op auditing
  4. Retention: E3 is 90 days, E5 is 1 year (auto-geconfigureerd)
  5. For extended retention (E5 Compliance): Maak aan audit loggen retentiebeleid
  6. Retention: 1 year (E5) of 10 years (E5 Compliance + Audit Premium)
  7. Scope: alle activities of specific activity types
  8. Test: Search audit loggen voor recent activities

STAP 2: Mailbox Auditing (30 minuten)

  1. Connect-ExchangeOnline
  2. Check: Get-OrganizationConfig | Select AuditDisabled
  3. Should be: AuditDisabled is False (ingeschakeld)
  4. If disabled: Set-OrganizationConfig -AuditDisabled $false
  5. Verifieer per-mailbox: Get-Mailbox | Select Name, AuditEnabled
  6. Should be: AuditEnabled is True voor alle mailboxes

STAP 3: Azure AD sign-in logs (30 minuten)

  1. Azure Portal → Azure AD → Sign-in logs
  2. Verify: logt aanwezig (auto-ingeschakeld met Azure AD P1/P2)
  3. Retention: 30 days (auto-geconfigureerd)
  4. For longer retention: Export to loggen Analytics workspace
  5. Diagnostic settings → Add diagnostic setting
  6. Logs: SignInLogs, AuditLogs, RiskyUsers
  7. Destination: loggen Analytics workspace
  8. Retention in workspace: 90-730 dagen configurable

STAP 4: SIEM Integration (optioneel, 1 uur)

  1. Microsoft Sentinel workspace creation
  2. Data connectors: Azure AD, Office 365, Microsoft Defender
  3. Analytics rules: Pre-built detectie templates
  4. Workbooks: Security dashboards
  5. Automation: incidentrespons playbooks (geavanceerd)

monitoring

Gebruik PowerShell-script 06-audit-logging.ps1 (functie Invoke-Monitoring) – Controleren.

Verifieer logging is working:

  1. Daily: Controleer loggen ingestion (logs being generated?)
  2. Weekly: Review high-priority alerts (suspicious activities)
  3. Monthly: Valideer retention (logs niet te vroeg verwijderd)
  4. incidentrespons: Practice loggen search procedures
  5. Compliance: Demonstrate loggen coverage voor auditors

Compliance en Auditing

audit logging is verplicht voor vrijwel alle frameworks: BIO 12.04 (Gebeurtenisregistratie), ISO 27001:2022 A.12.4.1 (Gebeurtenissen logging en audittrails), NIS2 Artikel 21 (Logging en monitoring), AVG Artikel 32 (Logging capabilities), CIS M365 (Audit controls). Zonder logging: non-compliant bij audits.

Remediatie

Gebruik PowerShell-script 06-audit-logging.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Quick Start: Audit Logging .DESCRIPTION Enables and configures Unified Audit Log voor compliance monitoring. VOLLEDIG GEAUTOMATISEERD. ENABLES: - Unified Audit Log ingestion - Mailbox auditing (all mailboxes) - Azure AD audit logs - Exchange admin audit logging - SharePoint audit logging .NOTES Filename: 06-audit-logging.ps1 Author: Nederlandse Baseline voor Veilige Cloud Created: 2025-10-16 Related JSON: content/quick-start/06-audit-logging.json CIS: 3.1.1 Priority: Week 2 #> #Requires -Version 5.1 #Requires -Modules ExchangeOnlineManagement, Microsoft.Graph.Identity.DirectoryManagement [CmdletBinding()] param( [Parameter(HelpMessage = "Monitor audit logging status")] [switch]$Monitoring, [Parameter(HelpMessage = "Enable Unified Audit Log")] [switch]$Remediation, [Parameter(HelpMessage = "Full implementation (UAL + Mailbox + SharePoint)")] [switch]$Implementation, [Parameter(HelpMessage = "Preview changes")] [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Quick Start: Audit Logging" -ForegroundColor Cyan Write-Host "WEEK 2 - CIS 3.1.1" -ForegroundColor Cyan Write-Host "Nederlandse Baseline voor Veilige Cloud" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Test-Compliance { [CmdletBinding()] param() $result = Invoke-Monitoring return $result.isCompliant } function Invoke-Revert { Write-Host "`nReverting configuration for: $PolicyName..." -ForegroundColor Cyan # Revert implementation Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`n[OK] Revert completed" -ForegroundColor Green } function Invoke-Monitoring { <# .SYNOPSIS Monitors audit logging configuration #> [CmdletBinding()] param() try { Write-Host "`nMonitoring:" -ForegroundColor Yellow $result = @{ isCompliant = $false timestamp = Get-Date unifiedAuditEnabled = $false mailboxAuditEnabled = 0 totalMailboxes = 0 recentAuditEntries = 0 azureADLogsEnabled = $false } # Check Unified Audit Log Write-Host "Checking Unified Audit Log..." -ForegroundColor Gray Connect-ExchangeOnline -ShowBanner:$false $auditConfig = Get-AdminAuditLogConfig $result.unifiedAuditEnabled = $auditConfig.UnifiedAuditLogIngestionEnabled if ($result.unifiedAuditEnabled) { Write-Host " [OK] Unified Audit Log: ENABLED" -ForegroundColor Green # Test recent entries try { $testSearch = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -ResultSize 10 if ($testSearch) { $result.recentAuditEntries = $testSearch.Count Write-Host " Recent entries (24h): $($testSearch.Count)" -ForegroundColor Gray } } catch { Write-Host " ⚠️ Could not test recent entries" -ForegroundColor Yellow } } else { Write-Host " [FAIL] Unified Audit Log: DISABLED" -ForegroundColor Red } # Check mailbox auditing Write-Host "`nChecking mailbox auditing..." -ForegroundColor Gray $mailboxes = Get-EXOMailbox -ResultSize Unlimited -Properties AuditEnabled $result.totalMailboxes = $mailboxes.Count $result.mailboxAuditEnabled = ($mailboxes | Where-Object { $_.AuditEnabled -eq $true }).Count if ($result.mailboxAuditEnabled -eq $result.totalMailboxes) { Write-Host " [OK] Mailbox auditing: $($result.mailboxAuditEnabled)/$($result.totalMailboxes) enabled" -ForegroundColor Green } else { Write-Host " ⚠️ Mailbox auditing: $($result.mailboxAuditEnabled)/$($result.totalMailboxes) enabled" -ForegroundColor Yellow } # Check Azure AD diagnostic settings Write-Host "`nChecking Azure AD audit logs..." -ForegroundColor Gray try { Connect-MgGraph -Scopes 'AuditLog.Read.All' -NoWelcome $diagnosticSettings = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$top=1" if ($diagnosticSettings) { $result.azureADLogsEnabled = $true Write-Host " [OK] Azure AD audit logs: Available" -ForegroundColor Green } } catch { Write-Host " ⚠️ Azure AD audit logs: Could not verify" -ForegroundColor Yellow } # Determine compliance if ($result.unifiedAuditEnabled -and $result.mailboxAuditEnabled -gt 0) { $result.isCompliant = $true } # Summary Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "SUMMARY:" -ForegroundColor Cyan Write-Host " Unified Audit Log: $(if ($result.unifiedAuditEnabled) { 'ENABLED [OK]' } else { 'DISABLED [FAIL]' })" -ForegroundColor $(if ($result.unifiedAuditEnabled) { 'Green' } else { 'Red' }) Write-Host " Mailbox Auditing: $($result.mailboxAuditEnabled)/$($result.totalMailboxes)" -ForegroundColor $(if ($result.mailboxAuditEnabled -eq $result.totalMailboxes) { 'Green' } else { 'Yellow' }) Write-Host " Recent Entries (24h): $($result.recentAuditEntries)" -ForegroundColor White Write-Host " Azure AD Logs: $(if ($result.azureADLogsEnabled) { 'Available [OK]' } else { 'Unknown' })" -ForegroundColor $(if ($result.azureADLogsEnabled) { 'Green' } else { 'Gray' }) if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } return $result } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } function Invoke-Remediation { <# .SYNOPSIS Enables Unified Audit Log #> [CmdletBinding(SupportsShouldProcess)] param() try { Write-Host "`nRemediation:" -ForegroundColor Yellow Connect-ExchangeOnline -ShowBanner:$false Write-Host "Enabling Unified Audit Log..." -ForegroundColor Gray if ($PSCmdlet.ShouldProcess("Unified Audit Log", "Enable")) { Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Write-Host " [OK] Unified Audit Log enabled" -ForegroundColor Green Write-Host " Note: Takes up to 24 hours to fully propagate" -ForegroundColor Yellow } Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } function Invoke-Implementation { <# .SYNOPSIS Full implementation: UAL + Mailbox Audit + Azure AD logging #> [CmdletBinding(SupportsShouldProcess)] param() try { Write-Host "`nImplementation: COMPLETE Audit Logging Setup..." -ForegroundColor Yellow Connect-ExchangeOnline -ShowBanner:$false # STEP 1: Enable Unified Audit Log Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "STEP 1: Enable Unified Audit Log" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan if ($PSCmdlet.ShouldProcess("UAL", "Enable")) { Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Write-Host " [OK] Unified Audit Log enabled" -ForegroundColor Green } # STEP 2: Enable mailbox auditing for all mailboxes Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "STEP 2: Enable Mailbox Auditing" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host " Enabling mailbox audit by default..." -ForegroundColor Gray if ($PSCmdlet.ShouldProcess("Organization Config", "Enable mailbox audit by default")) { # Enable org-wide mailbox auditing Set-OrganizationConfig -AuditDisabled $false Write-Host " [OK] Organization-wide mailbox auditing enabled" -ForegroundColor Green # Enable for existing mailboxes that don't have it Write-Host " Checking individual mailboxes..." -ForegroundColor Gray $mailboxes = Get-EXOMailbox -ResultSize Unlimited -Properties AuditEnabled | Where-Object { $_.AuditEnabled -eq $false } if ($mailboxes) { Write-Host " Found $($mailboxes.Count) mailboxes with auditing disabled" -ForegroundColor Yellow Write-Host " Enabling auditing (this may take a while)..." -ForegroundColor Gray $count = 0 foreach ($mailbox in $mailboxes) { try { Set-Mailbox -Identity $mailbox.UserPrincipalName -AuditEnabled $true -ErrorAction SilentlyContinue $count++ if ($count % 10 -eq 0) { Write-Host " Progress: $count/$($mailboxes.Count)" -ForegroundColor Gray } } catch { Write-Host " ⚠️ Failed for $($mailbox.UserPrincipalName)" -ForegroundColor Yellow } } Write-Host " [OK] Enabled auditing for $count mailboxes" -ForegroundColor Green } else { Write-Host " [OK] All mailboxes already have auditing enabled" -ForegroundColor Green } } # STEP 3: Enable SharePoint auditing Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "STEP 3: Enable SharePoint Audit Log" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan if ($PSCmdlet.ShouldProcess("SharePoint", "Enable audit log")) { try { # SharePoint auditing is enabled via organization config Write-Host " SharePoint auditing is controlled by Unified Audit Log" -ForegroundColor Gray Write-Host " [OK] SharePoint auditing enabled (via UAL)" -ForegroundColor Green } catch { Write-Host " ⚠️ Could not verify SharePoint auditing" -ForegroundColor Yellow } } # STEP 4: Configure admin audit log settings Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "STEP 4: Configure Admin Audit Log Settings" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan if ($PSCmdlet.ShouldProcess("Admin Audit Log", "Configure")) { # Set admin audit log age limit to maximum (90 days by default, extendable with E5) Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -LogLevel Verbose Write-Host " [OK] Admin audit log: Enabled (Verbose mode)" -ForegroundColor Green } Write-Host "`n========================================" -ForegroundColor Green Write-Host "[OK] IMPLEMENTATION COMPLETED!" -ForegroundColor Green Write-Host "========================================" -ForegroundColor Green Write-Host "`nEnabled:" -ForegroundColor Cyan Write-Host " [OK] Unified Audit Log ingestion" -ForegroundColor White Write-Host " [OK] Organization-wide mailbox auditing" -ForegroundColor White Write-Host " [OK] SharePoint audit logging" -ForegroundColor White Write-Host " [OK] Admin audit log (Verbose)" -ForegroundColor White Write-Host "`nNext steps:" -ForegroundColor Yellow Write-Host " 1. Wait 24h for full propagation" -ForegroundColor White Write-Host " 2. Test: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)" -ForegroundColor Gray Write-Host " 3. Configure retention policy (90 days default, up to 10 years with E5)" -ForegroundColor White Write-Host " 4. Set up SIEM integration if required" -ForegroundColor White } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } # MAIN EXECUTION try { if ($Implementation) { if ($WhatIf) { Write-Host "WhatIf: Would enable all audit logging" -ForegroundColor Yellow } else { Invoke-Implementation } } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would enable Unified Audit Log" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result.isCompliant) { 0 } else { 1 }) } else { Write-Host "Available parameters:" -ForegroundColor Yellow Write-Host " -Monitoring : Check audit logging status" -ForegroundColor Gray Write-Host " -Remediation : Enable Unified Audit Log" -ForegroundColor Gray Write-Host " -Implementation : Full setup (UAL + Mailbox + SharePoint)" -ForegroundColor Gray Write-Host " -WhatIf : Preview changes" -ForegroundColor Gray } } catch { Write-Error "Script execution failed: $_" exit 2 } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: HOOG: Zonder logging geen forensics bij incidents, compliance schendingen, ondetectable insider threats. Logging is GRATIS (included) en vereist voor audits.

Management Samenvatting

DAG 15-16 (Week 3): Schakel in en Verifieer Unified Audit Log, Mailbox Auditing, Sign-in Logs. Configureer retention (90 days minimum). Optioneel: SIEM integration. Effort: 4-6 uur. GRATIS maar VERPLICHT voor compliance.