📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Retention
  • What logs are available?
  • UAL logs
  • Tenant Wide Logs:
  • Sign-In Logs
  • Provisioning Logs
  • ADFSSignInLogs
  • Global Secure Access Logs
  • Identity Protection Logging
  • Microsoft Graph Activity Logs:
  • Audit Logs
  • Subscription Wide Logs:
  • Activity Logs:
  • Resource Wide Logging:
  • Resource/Diagnostic Logs:
  • eDiscovery
  • Log Storage
  1. Enterprise Architecture
  2. The Cloud
  3. Azure
  4. Logging

Audit Logs

PreviousLoggingNextM365

Last updated 2 months ago

Retention

  • Tenant

    • 7 days - Free license

    • 30 days - P1/P2

  • Subscription

    • 90 days

  • Resource

    • User defined

What logs are available?

  • Sign-In logs

  • Audit Logs

  • UAL logs

  • eDiscovery

UAL logs

  • 90 day retention

  • On by default

Tenant Wide Logs:

  • Retention

    • 7 days - Free license

    • 30 days - P1/P2

Sign-In Logs

  • Types:

      • Hands on keyboard logins

      • Background logins on-behalf of user. Logins from fresh tokens and access tokens by applications.

      • Logins from service principals and apps that use credentials. Not interactive.

        • Source IPs can be Microsoft owned:

          • 20.8

          • 40.

          • 52.

      • Sign-ins by Azure resources that have their secrets managed by Azure. Resource to resource logins.

  • 30 day default retention

  • On by default

Provisioning Logs

  • Activities performed by provisioning service, creation of group from ServiceNow or importing user from Workday.

  • 30 day default retention

  • On by default

ADFSSignInLogs

  • Relevant if you have ADFS as hybrid setup. Requires Connect Health agent to be installed on on-prem DC.

  • 30 day default retention

  • On by default

Global Secure Access Logs

Records data moving through agents and firewalls that are apart of Global Secure Access (GSA). Works with CAE as well.

  • NetworkAccessTrafficLogs

    • Generates network information from identities/devices that are enrolled in Global Secure Access (GSA)

  • EnrichedOffice365AuditLogs

    • Contains M365 logs that originate from identity/devices that are enrolled in GSA. Apart of the UAL.

  • RemoteNetworkHealthLogs

    • Contains network status information about enrolled remote office setups in GSA. GSA is Microsofts zero trust service.

  • NetworkAccessAlerts

    • No info on this log yet.

  • Service must be enabled for these to be logged.

  • 30 day default retention

  • On by default

Identity Protection Logging

  • 30 day default retention

  • On by default

  • Requires P1/P2 license

Microsoft Graph Activity Logs:

  • Off by default

  • Needs to be enabled and manually forwarded to Storage account, log analytic workspace.. event up, and etc.

  • Records GraphAPI read calls.

  • VERY noisy.

  • VERY expensive for storage.

Audit Logs

  • Contains information about changes to Entra ID tenant such as group changes, password resets, and MFA device changes.

  • Only records Entra ID (Entra ID objects) and NOT Azure (resources).

  • 30 day default retention

  • On by default

Subscription Wide Logs:

  • Retention

    • 90 days

Activity Logs:

Records data on Management group, subscription, and resource group level.

  • Provides details to each Azure resource within a subscription. There is a single activity log for each subscription.

  • Log Categories (Most interesting for DFIR are highlighted):

      • Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

      • Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM above 80 for the past 5 minutes.

      • Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.

  • 90 day retention

  • On by default

Resource Wide Logging:

  • Retention

    • User defined

Resource/Diagnostic Logs:

  • Off by default

    • Resources:

      • VMs

      • Storage accounts

      • Networking

      • Automation Accounts

      • Functions

      • etc.

  • Old logs cannot be recovered if they are turned on after incident.

  • Does not have a log retention period, they are sent to log analytics where that dictates how long they are retained.

eDiscovery

Log Storage

Interactive user sign-ins
Non-interactive user sign-ins
Service principal sign-ins
Managed identity sign-ins
Administrative
Service Health
Resource Health
Alert
Autoscale
Recommendation
Security
Policy
Search the audit log with Classic SearchMicrosoftLearn
Logo
Sign-in logs in Microsoft Entra ID - Microsoft Entra IDMicrosoftLearn
Logo
What is Global Secure Access? - Global Secure AccessMicrosoftLearn
Logo
Continuous access evaluation in Microsoft Entra - Microsoft Entra IDMicrosoftLearn
Logo
Learn about the audit logs in Microsoft Entra ID - Microsoft Entra IDMicrosoftLearn
Logo
Azure Activity Log event schema - Azure MonitorMicrosoftLearn
Search for eDiscovery activities in the audit logMicrosoftLearn
Logo
Logo