Exchange must have Audit record parameters set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-234774	EX13-CA-000050	SV-234774r617263_rule		Low

Description
Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.

Description

Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.

STIG	Date
Microsoft Exchange 2013 Client Access Server Security Technical Implementation Guide	2021-12-16

Details

Check Text ( C-37960r617261_chk )
Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig \| Select Name, Identity, AdminAuditLogParameters If the value of AdminAuditLogParameters is not set to {}, this is a finding. Note: The value of {} indicates all parameters are being audited.

Fix Text (F-37923r617262_fix)
Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogParameters *