EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

O365 Advanced Audit Disabled

The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.

MITRE ATT&CK

T1562.008

Detection Query

`o365_management_activity` Operation="Change user license." | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = "extendedAuditEventCategory" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails,"NewValue") | eval possible_plan=mvindex(split_value, 1) | rex field="possible_plan" "DisabledPlans=\[(?P<DisabledPlans>[^\]]+)\]" | search DisabledPlans IN ("*M365_ADVANCED_AUDITING*") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product DisabledPlans object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`

Author

Mauricio Velazco, Michael Haag, Splunk

Created

2026-03-10

Data Sources

O365 Change user license.

References

Tags

Office 365 Persistence Mechanisms
Raw Content
name: O365 Advanced Audit Disabled
id: 49862dd4-9cb2-4c48-a542-8c8a588d9361
version: 8
date: '2026-03-10'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
data_source:
    - O365 Change user license.
description: The following analytic detects instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It uses O365 audit logs, focusing on events related to audit license changes in AzureActiveDirectory workloads. This activity is significant because the O365 advanced audit provides critical logging and insights into user and administrator activities. Disabling it can blind security teams to potential malicious actions. If confirmed malicious, attackers could operate within the user's mailbox or account with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.
search: "`o365_management_activity` Operation=\"Change user license.\" | eval property_name = mvindex ('ExtendedProperties{}.Name', 1) | search property_name = \"extendedAuditEventCategory\" | eval additionalDetails = mvindex('ExtendedProperties{}.Value',0) | eval split_value=split(additionalDetails,\"NewValue\") | eval possible_plan=mvindex(split_value, 1) | rex field=\"possible_plan\" \"DisabledPlans=\\[(?P<DisabledPlans>[^\\]]+)\\]\" | search DisabledPlans IN (\"*M365_ADVANCED_AUDITING*\") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product DisabledPlans object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_advanced_audit_disabled_filter`"
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. Filter as needed.
references:
    - https://attack.mitre.org/techniques/T1562/008/
    - https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
    - https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Advanced auditing for user $object$ was disabled by $user$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Persistence Mechanisms
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1562.008
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log
          source: o365
          sourcetype: o365:management:activity