Audit Logs

Retention
Tenant
7 days - Free license
30 days - P1/P2
Subscription
90 days
Resource
User defined
What logs are available?
Sign-In logs
Audit Logs
UAL logs
eDiscovery
UAL logs
90 day retention
On by default
Tenant Wide Logs:
Retention
7 days - Free license
30 days - P1/P2
Sign-In Logs
Types:
Hands on keyboard logins
Background logins on-behalf of user. Logins from fresh tokens and access tokens by applications.
Logins from service principals and apps that use credentials. Not interactive.
Source IPs can be Microsoft owned:
20.8
40.
52.
Sign-ins by Azure resources that have their secrets managed by Azure. Resource to resource logins.
30 day default retention
On by default
Provisioning Logs
Activities performed by provisioning service, creation of group from ServiceNow or importing user from Workday.
30 day default retention
On by default
ADFSSignInLogs
Relevant if you have ADFS as hybrid setup. Requires Connect Health agent to be installed on on-prem DC.
30 day default retention
On by default
Global Secure Access Logs
Records data moving through agents and firewalls that are apart of Global Secure Access (GSA). Works with CAE as well.
NetworkAccessTrafficLogs
Generates network information from identities/devices that are enrolled in Global Secure Access (GSA)
EnrichedOffice365AuditLogs
Contains M365 logs that originate from identity/devices that are enrolled in GSA. Apart of the UAL.
RemoteNetworkHealthLogs
Contains network status information about enrolled remote office setups in GSA. GSA is Microsofts zero trust service.
NetworkAccessAlerts
No info on this log yet.
Service must be enabled for these to be logged.
30 day default retention
On by default
Identity Protection Logging
30 day default retention
On by default
Requires P1/P2 license
Microsoft Graph Activity Logs:
Off by default
Needs to be enabled and manually forwarded to Storage account, log analytic workspace.. event up, and etc.
Records GraphAPI read calls.
VERY noisy.
VERY expensive for storage.
Audit Logs
Contains information about changes to Entra ID tenant such as group changes, password resets, and MFA device changes.
Only records Entra ID (Entra ID objects) and NOT Azure (resources).
30 day default retention
On by default
Subscription Wide Logs:
Retention
90 days
Activity Logs:
Records data on Management group, subscription, and resource group level.
Provides details to each Azure resource within a subscription. There is a single activity log for each subscription.
Log Categories (Most interesting for DFIR are highlighted):
Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.
Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM above 80 for the past 5 minutes.
Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.
90 day retention
On by default
Resource Wide Logging:
Retention
User defined
Resource/Diagnostic Logs:
Off by default
Resources:
VMs
Storage accounts
Networking
Automation Accounts
Functions
etc.
Old logs cannot be recovered if they are turned on after incident.
Does not have a log retention period, they are sent to log analytics where that dictates how long they are retained.
eDiscovery
Log Storage

Last updated