Secure score control AuditEnabled (Turn on audit data recording) not scored

%3CLINGO-SUB%20id%3D%22lingo-sub-301301%22%20slang%3D%22en-US%22%3ESecure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301301%22%20slang%3D%22en-US%22%3E%3CP%3ESecure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20is%20being%20NotScored%20in%20Secure%20score%20portal.%26nbsp%3B%20Why%20is%20this%20happening%3F%3C%2FP%3E%3CP%3EThe%20api%20%2Fsecurity%2FsecureScoreControlProfiles%20also%20returns%20%5BNot%20Scored%5D%20in%20the%20api%2C%20and%20%2Fsecurity%2FsecureScores%20does%20not%20return%20the%20control.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20control%20is%20not%20deprecated%2C%20and%20IMO%20is%20a%20relatively%20important%20control%2C%20with%20a%20really%20easy%20implementation.%20I've%20checked%20it%20in%20many%20of%20our%20customer's%20tenants%20and%20it's%20always%20not%20scored.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-301301%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecure%20Score%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-303922%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-303922%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20found%20in%20the%20official%20docs%20that%20they're%20in%20the%20process%20of%20turning%20on%20auditing%20by%20default%20as%20you%20mentioned.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%20since%20I've%20started%20this%20thread%20now%20the%26nbsp%3BAuditEnabled%20is%20scored%20again%2C%20I%20sense%20a%20black%20hand%20that%20fixed%20it%20after%20they%20read%20this%20thread%20xD%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302087%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302087%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20was%20mentioned%20at%20one%20of%20the%20sessions%20at%20Ignite%2C%20cannot%20recall%20which%20one.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301969%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301969%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20a%20source%20pls%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301888%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301888%22%20slang%3D%22en-US%22%3E%3CP%3ENope%2C%20Unified%20Audit%20log%20event%20collection%20will%20also%20be%20enabled%20by%20default%20for%20all%20new%20tenants.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301883%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301883%22%20slang%3D%22en-US%22%3E%3CP%3EAFAIK%20what's%20going%20to%20be%20enabled%20by%20default%20is%20mailbox%20auditing.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FExchange-Mailbox-Auditing-will-be-enabled-by-default%2Fba-p%2F215171%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FExchange-Mailbox-Auditing-will-be-enabled-by-default%2Fba-p%2F215171%3C%2FA%3E%20which%26nbsp%3Bhas%20a%20different%20security%20control%20%22%3CSPAN%3EMailboxAuditingEnabled%22%20-%20Turn%20on%20mailbox%20auditing%20for%20all%20users%20that%20actually%20HAS%20score.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-301615%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20score%20control%20AuditEnabled%20(Turn%20on%20audit%20data%20recording)%20not%20scored%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-301615%22%20slang%3D%22en-US%22%3E%3CP%3EProbably%20because%20of%20the%20fact%20that%20audit%20is%20going%20to%20be%20enabled%20by%20default%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Secure score control AuditEnabled (Turn on audit data recording) is being NotScored in Secure score portal.  Why is this happening?

The api /security/secureScoreControlProfiles also returns [Not Scored] in the api, and /security/secureScores does not return the control.

 

The control is not deprecated, and IMO is a relatively important control, with a really easy implementation. I've checked it in many of our customer's tenants and it's always not scored.

6 Replies

Probably because of the fact that audit is going to be enabled by default now.

AFAIK what's going to be enabled by default is mailbox auditing. https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-wil... which has a different security control "MailboxAuditingEnabled" - Turn on mailbox auditing for all users that actually HAS score. 

 

Nope, Unified Audit log event collection will also be enabled by default for all new tenants.

It was mentioned at one of the sessions at Ignite, cannot recall which one.

I've found in the official docs that they're in the process of turning on auditing by default as you mentioned. https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

 

Anyway since I've started this thread now the AuditEnabled is scored again, I sense a black hand that fixed it after they read this thread xD