Audit Logs
Last updated
Last updated
Tenant
7 days - Free license
30 days - P1/P2
Subscription
90 days
Resource
User defined
Sign-In logs
Audit Logs
UAL logs
eDiscovery
90 day retention
On by default
Retention
7 days - Free license
30 days - P1/P2
Types:
Hands on keyboard logins
Background logins on-behalf of user. Logins from fresh tokens and access tokens by applications.
Logins from service principals and apps that use credentials. Not interactive.
Source IPs can be Microsoft owned:
20.8
40.
52.
Sign-ins by Azure resources that have their secrets managed by Azure. Resource to resource logins.
30 day default retention
On by default
Activities performed by provisioning service, creation of group from ServiceNow or importing user from Workday.
30 day default retention
On by default
Relevant if you have ADFS as hybrid setup. Requires Connect Health agent to be installed on on-prem DC.
30 day default retention
On by default
Records data moving through agents and firewalls that are apart of Global Secure Access (GSA). Works with CAE as well.
NetworkAccessTrafficLogs
Generates network information from identities/devices that are enrolled in Global Secure Access (GSA)
EnrichedOffice365AuditLogs
Contains M365 logs that originate from identity/devices that are enrolled in GSA. Apart of the UAL.
RemoteNetworkHealthLogs
Contains network status information about enrolled remote office setups in GSA. GSA is Microsofts zero trust service.
NetworkAccessAlerts
No info on this log yet.
Service must be enabled for these to be logged.
30 day default retention
On by default
30 day default retention
On by default
Requires P1/P2 license
Off by default
Needs to be enabled and manually forwarded to Storage account, log analytic workspace.. event up, and etc.
Records GraphAPI read calls.
VERY noisy.
VERY expensive for storage.
Contains information about changes to Entra ID tenant such as group changes, password resets, and MFA device changes.
Only records Entra ID (Entra ID objects) and NOT Azure (resources).
30 day default retention
On by default
Retention
90 days
Records data on Management group, subscription, and resource group level.
Provides details to each Azure resource within a subscription. There is a single activity log for each subscription.
Log Categories (Most interesting for DFIR are highlighted):
Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.
Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM above 80 for the past 5 minutes.
Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.
90 day retention
On by default
Retention
User defined
Off by default
Resources:
VMs
Storage accounts
Networking
Automation Accounts
Functions
etc.
Old logs cannot be recovered if they are turned on after incident.
Does not have a log retention period, they are sent to log analytics where that dictates how long they are retained.
