Audit bypass in Exchange

Does InsightIDR give warnings if someone is using the Set-MailboxAuditBypassAssociation command in Exchange to bypass auditing for an account? Thank you for any help with this.

Hey @ben_hamel,

Not natively to my knowledge, but if you see that particular action in the logs, you can very easily build a custom pattern detection that would alert you whenever it’s seen:

Than you for that. I will try to create a custom alert for it now.

No worries, if you are having trouble, feel free to reach out with the log structure, keyword, etc (redacted of any PII), and I would be more than happy to help you with the query language.