Does InsightIDR give warnings if someone is using the Set-MailboxAuditBypassAssociation command in Exchange to bypass auditing for an account? Thank you for any help with this.
Hey @ben_hamel,
Not natively to my knowledge, but if you see that particular action in the logs, you can very easily build a custom pattern detection that would alert you whenever it’s seen:
https://docs.rapid7.com/insightidr/create-and-manage-custom-alerts
Than you for that. I will try to create a custom alert for it now.
No worries, if you are having trouble, feel free to reach out with the log structure, keyword, etc (redacted of any PII), and I would be more than happy to help you with the query language.