Exchange Audit record parameters must be set.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-228359 | EX16-MB-000060 | SV-228359r879559_rule | CCI-000169 | low |
| Description | ||||
| Log files help establish a history of activities and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server. | ||||
| STIG | Date | |||
| Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide | 2023-12-18 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-12
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000169
1.00
- DISA · V2R6 · disa_xccdf · related
Details
Check Text (C-228359r879559_chk)
Open the Exchange Management Shell and enter the following command:
Get-AdminAuditLogConfig | Select AdminAuditLogParameters
Note: The value of "*" indicates all parameters are being audited.
If the value of "AdminAuditLogParameters" is not set to "*", this is a finding.
Fix Text (F-30577r496874_fix)
Open the Exchange Management Shell and enter the following command:
Set-AdminAuditLogConfig -AdminAuditLogParameters *