Audit Detect Advanced Auditing Disabled
Query
//Detect when Advanced Auditing is disabled for a user
//Reference - https://www.mandiant.com/resources/remediation-and-hardening-strategies-microsoft-365-defend-against-apt29-v13
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName == "Update user"
| where Result == "success"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend targetResources=parse_json(TargetResources)
| extend Target = tostring(TargetResources[0].userPrincipalName)
| extend ['Target ObjectId'] = tostring(TargetResources[0].id)
| mv-apply tr = targetResources on (
extend targetResource = tr.displayName
| mv-apply mp = tr.modifiedProperties on (
where mp.displayName == "LicenseAssignmentDetail"
| extend NewValue = tostring(mp.newValue)
))
| mv-expand todynamic(NewValue)
| where parse_json(tostring(NewValue.DisabledPlans))[0] == "2f442157-a11c-46b9-ae5b-6e39ff4e5849"
| project
TimeGenerated,
Actor,
Target,
['Target ObjectId'],
Activity="Advanced Auditing Disabled"Explanation
This query detects when Advanced Auditing is disabled for a user in Azure Active Directory Audit Logs. It filters for successful "Update user" operations and retrieves the user and target information. It then checks for any modifications to the "LicenseAssignmentDetail" property and specifically looks for a disabled plan with the ID "2f442157-a11c-46b9-ae5b-6e39ff4e5849". The query outputs the time generated, actor, target, target object ID, and labels the activity as "Advanced Auditing Disabled".
Details

Matt Zorich
Released: August 22, 2022
Tables
AuditLogs
Keywords
AuditLogsOperationNameResultInitiatedBy.useruserPrincipalNameTargetResourcesdisplayNamemodifiedPropertiesLicenseAssignmentDetailNewValueDisabledPlansTimeGeneratedActorTarget['Target ObjectId']Activity
Operators
| where==| extend=tostringparse_jsonmv-applyon| mv-expand| project