Audit Logs

Retention

• Tenant

  • 7 days - Free license

  • 30 days - P1/P2

• Subscription

  • 90 days

• Resource

  • User defined

What logs are available?

• Sign-In logs

• Audit Logs

• UAL logs

• eDiscovery

UAL logs

Search the audit logMicrosoftLearn

• 90 day retention

• On by default

Tenant Wide Logs:

• Retention

  • 7 days - Free license

  • 30 days - P1/P2

Sign-In Logs

Sign-in logs in Microsoft Entra ID - Microsoft Entra IDMicrosoftLearn

• Types:

  • Interactive user sign-ins

    • Hands on keyboard logins

  • Non-interactive user sign-ins

    • Background logins on-behalf of user. Logins from fresh tokens and access tokens by applications.

  • Service principal sign-ins

    • Logins from service principals and apps that use credentials. Not interactive.

      • Source IPs can be Microsoft owned:

        • 20.8

        • 40.

        • 52.

  • Managed identity sign-ins

    • Sign-ins by Azure resources that have their secrets managed by Azure. Resource to resource logins.

• 30 day default retention

• On by default

Provisioning Logs

• Activities performed by provisioning service, creation of group from ServiceNow or importing user from Workday.

• 30 day default retention

• On by default

ADFSSignInLogs

• Relevant if you have ADFS as hybrid setup. Requires Connect Health agent to be installed on on-prem DC.

• 30 day default retention

• On by default

Global Secure Access Logs

What is Global Secure Access? - Global Secure AccessMicrosoftLearn

Continuous access evaluation in Microsoft Entra - Microsoft Entra IDMicrosoftLearn

Records data moving through agents and firewalls that are apart of Global Secure Access (GSA). Works with CAE as well.

• NetworkAccessTrafficLogs

  • Generates network information from identities/devices that are enrolled in Global Secure Access (GSA)

• EnrichedOffice365AuditLogs

  • Contains M365 logs that originate from identity/devices that are enrolled in GSA. Apart of the UAL.

• RemoteNetworkHealthLogs

  • Contains network status information about enrolled remote office setups in GSA. GSA is Microsofts zero trust service.

• NetworkAccessAlerts

  • No info on this log yet.

• Service must be enabled for these to be logged.

• 30 day default retention

• On by default

Identity Protection Logging

• 30 day default retention

• On by default

• Requires P1/P2 license

Microsoft Graph Activity Logs:

• Off by default

• Needs to be enabled and manually forwarded to Storage account, log analytic workspace.. event up, and etc.

• Records GraphAPI read calls.

• VERY noisy.

• VERY expensive for storage.

Audit Logs

Learn about the audit logs in Microsoft Entra ID - Microsoft Entra IDMicrosoftLearn

• Contains information about changes to Entra ID tenant such as group changes, password resets, and MFA device changes.

• Only records Entra ID (Entra ID objects) and NOT Azure (resources).

• 30 day default retention

• On by default

Subscription Wide Logs:

• Retention

  • 90 days

Activity Logs:

Azure Activity Log event schema - Azure MonitorMicrosoftLearn

Records data on Management group, subscription, and resource group level.

• Provides details to each Azure resource within a subscription. There is a single activity log for each subscription.

• Log Categories (Most interesting for DFIR are highlighted):

  • Administrative

    • Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

  • Service Health

  • Resource Health

  • Alert

    • Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM above 80 for the past 5 minutes.

  • Autoscale

  • Recommendation

  • Security

    • Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.

  • Policy

• 90 day retention

• On by default

Resource Wide Logging:

• Retention

  • User defined

Resource/Diagnostic Logs:

• Off by default

  • Resources:

    • VMs

    • Storage accounts

    • Networking

    • Automation Accounts

    • Functions

    • etc.

• Old logs cannot be recovered if they are turned on after incident.

• Does not have a log retention period, they are sent to log analytics where that dictates how long they are retained.

eDiscovery

Search for eDiscovery (classic) activities in the audit logMicrosoftLearn

Log Storage