Does InsightIDR give warnings if someone is using the Set-MailboxAuditBypassAssociation command in Exchange to bypass auditing for an account? Thank you for any help with this.
Not natively to my knowledge, but if you see that particular action in the logs, you can very easily build a custom pattern detection that would alert you whenever it’s seen:
Than you for that. I will try to create a custom alert for it now.
No worries, if you are having trouble, feel free to reach out with the log structure, keyword, etc (redacted of any PII), and I would be more than happy to help you with the query language.