Audit Logs

Retention

  • Tenant

    • 7 days - Free license

    • 30 days - P1/P2

  • Subscription

    • 90 days

  • Resource

    • User defined

What logs are available?

  • Sign-In logs

  • Audit Logs

  • UAL logs

  • eDiscovery

UAL logs

  • 90 day retention

  • On by default

Tenant Wide Logs:

  • Retention

    • 7 days - Free license

    • 30 days - P1/P2

Sign-In Logs

Provisioning Logs

  • Activities performed by provisioning service, creation of group from ServiceNow or importing user from Workday.

  • 30 day default retention

  • On by default

ADFSSignInLogs

  • Relevant if you have ADFS as hybrid setup. Requires Connect Health agent to be installed on on-prem DC.

  • 30 day default retention

  • On by default

Global Secure Access Logs

Records data moving through agents and firewalls that are apart of Global Secure Access (GSA). Works with CAE as well.

  • NetworkAccessTrafficLogs

    • Generates network information from identities/devices that are enrolled in Global Secure Access (GSA)

  • EnrichedOffice365AuditLogs

    • Contains M365 logs that originate from identity/devices that are enrolled in GSA. Apart of the UAL.

  • RemoteNetworkHealthLogs

    • Contains network status information about enrolled remote office setups in GSA. GSA is Microsofts zero trust service.

  • NetworkAccessAlerts

    • No info on this log yet.

  • Service must be enabled for these to be logged.

  • 30 day default retention

  • On by default

Identity Protection Logging

  • 30 day default retention

  • On by default

  • Requires P1/P2 license

Microsoft Graph Activity Logs:

  • Off by default

  • Needs to be enabled and manually forwarded to Storage account, log analytic workspace.. event up, and etc.

  • Records GraphAPI read calls.

  • VERY noisy.

  • VERY expensive for storage.

Audit Logs

  • Contains information about changes to Entra ID tenant such as group changes, password resets, and MFA device changes.

  • Only records Entra ID (Entra ID objects) and NOT Azure (resources).

  • 30 day default retention

  • On by default

Subscription Wide Logs:

  • Retention

    • 90 days

Activity Logs:

Records data on Management group, subscription, and resource group level.

  • Provides details to each Azure resource within a subscription. There is a single activity log for each subscription.

  • Log Categories (Most interesting for DFIR are highlighted):

    • Administrative

      • Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

    • Alert

      • Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM above 80 for the past 5 minutes.

    • Security

      • Contains the record of any alerts generated by Microsoft Defender for Cloud. An example of a Security event is Suspicious double extension file executed.

  • 90 day retention

  • On by default

Resource Wide Logging:

  • Retention

    • User defined

Resource/Diagnostic Logs:

  • Off by default

    • Resources:

      • VMs

      • Storage accounts

      • Networking

      • Automation Accounts

      • Functions

      • etc.

  • Old logs cannot be recovered if they are turned on after incident.

  • Does not have a log retention period, they are sent to log analytics where that dictates how long they are retained.

eDiscovery

Log Storage

Last updated