M365 Log Disabling Attempt
Detection overview
Triggers
- An attempt has been made to disable important Office 365 logs that enhance security.
Possible Root Causes
- Attackers will seek to disable logging to blind detection mechanisms and cover their tracks.
- Logging may be temporarily turned off by an admin while changing configuration or troubleshooting a problem.
Business Impact
- An attacker who has disabled logging may progress parts of an attack without being detected, and without producing an auditable record to aid in forensics.
- Disabling logging degrades a critical component of an organization’s security architecture.
- Many audit and compliance requirements can only be met through the collection of activity logs.
Steps to Verify
- Review whether this logging configuration is expected and appropriate.
- If this is a temporary configuration for troubleshooting purposes, confirm it has been reenabled once that troubleshooting is complete.
M365 Log Disabling Attempt
Possible root causes
Malicious Detection
Benign Detection
M365 Log Disabling Attempt
Example scenarios
M365 Log Disabling Attempt
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Log Disabling Attempt
Steps to investigate
M365 Log Disabling Attempt
Related detections
No items found.