Microsoft 365 is used by organizations around the world for email and the Office productivity suite. This is a cloud-based product suite by Microsoft and has many options for monitoring and compliance through their Unified Audit Log.
Microsoft 365 tenants who are licensed as Enterprise customers will have audit logging automatically enabled for their tenant. All other tenants will need to manually enable audit logging.
Before getting into how to enable logging and verifying that logging is turned on, let’s dive into what log types you can expect to find within Microsoft 365.
Microsoft 365 Unified Audit Logs have various record types. Rather than delving into the individual record types, we’ll focus more on the categories they fall into. To learn more in-depth at each type associated with their respective categories, this document from Microsoft can help.
Below are the different log categories/services provided through the Unified Audit Log:
Thankfully, when enabling the Unified Audit Log via the Compliance Admin Center or PowerShell, you don’t need to individually turn on each of the logs for the categories shown above. There is also some nuance with these that we’ll briefly touch on.
Some of the categories above give different or reduced information depending on your license type. You need a license to see and receive Microsoft 365 Defender logs, for example. The same goes for Azure Information Protection and the DLP logging (along with Sensitivity Labels and Information Types).
Each category can have several record types associated with it. Exchange Online, for example, is associated with Exchange Admin logs, Exchange Item, and Exchange Item Aggregated record types. While AAD logs are included in the Unified Audit Log, not all record types are. Microsoft is a little vague on this topic, but to get all potential logs from AAD, you’ll need to configure Diagnostic Settings within the AAD portal in Azure.
There are several reasons why you would want to collect, retain, and monitor Microsoft 365 logs. The following are a few of the top reasonings and some scenarios to consider.
External and insider threats are constant and evolving. While having protections in place is great, that should be just one aspect or layer of your security program. Collecting and monitoring Microsoft 365 logs from your various products can help you detect threats faster, enabling you to respond faster as well.
Consider a user that sets up an email forwarding rule to forward email to an external address. This could be benign, or it could be a threat actor’s attempt to maintain persistence in an environment. Without continuous monitoring through logs, this potential security risk would be missed.
Alternatively, think of every action an administrator can take. Monitoring Microsoft 365 logs can help you determine if any admin actions were taken without proper approval or the result of a potentially rogue admin account. Being able to find these faster by monitoring your logs will leave you in a better security posture overall.
Microsoft 365 and Azure Active Directory (AAD) have various options to set up how you want users to log in, access and share data, and generally use various product offerings. Log monitoring can give you insight into how users attempt to circumvent controls and use the services they have permission to, enabling you to respond to these potential incidents.
You can monitor these policies and create new ones via a variety of administration centers within Microsoft 365, which can be tough for small teams to keep track of. Logging and monitoring these logs can help reduce the number of clicks it takes to monitor these controls and policies as well. It can also help to validate whether or not your policies and controls are working as intended or if you need to make any modifications.
Organizations may have specific compliance requirements that will drive your audit log retention policy. If your organization has any compliance requirements to meet for cyber insurance, industry requirements, and other compliance-related reasons, Microsoft 365 logging and retention can be extremely important.
Audit log retention requirements will vary; some industries, like healthcare, will require longer retention periods of at least 6 years.
With the understanding that you should be collecting, monitoring and retaining Microsoft 365 logs, the first step is to turn them on. You can do this by enabling the Unified Audit Log within Microsoft 365.
Navigate to the Compliance Admin Center within Microsoft 365. You can also use this URL https://compliance.microsoft.com. Once there, click on Audit. As Microsoft is rebranding and moving things around, the Compliance Center may be showing as Purview in your tenant.
This will get you into the settings and search for the Unified Audit Log. If you haven’t either had it enabled before or if this is your first time visiting this section, you’ll be greeted with a button asking you to start recording user and admin activity.
Clicking this will enable the Unified Audit Log. Keep in mind that there is a time delay that can last up to 60 minutes before you are able to view and search through the entire audit log.
PowerShell is also another method that can be used to perform all the above steps. Learn more here.
While compliance may be a driver for log retention, that shouldn’t be the only driver behind your log retention strategy. Generally speaking, having at least one year’s worth of Microsoft 365 audit logs is recommended. This will, in most situations, yield the best benefit for your investigatory and compliance needs.
If your organization suffers a breach or an incident, however, you may find the default retention periods lacking in Microsoft 365. These default retention periods vary depending on licensing, but generally range from 30 to 90 days, with the exception of Advanced Audit.
Determining when the incident occurred and locating the first indicator of a compromise (IoC) may require you to go back further than 7 or 90 days. If your retention policies don’t extend that far, you’ll miss key information in your investigations and reports. Retaining log data for one year enables an incident response team to more easily determine how long an attacker was in an environment.
To combat the limited retention periods that Microsoft offers by default, you have a few different options.
You can export the data in the unified audit log and store it on-prem or in your organization’s primary storage solution.
There are some things to consider when going with this option: How much storage will you need? What is the right mix of hot, cold, and archival tiers to maximize the value of your storage solution? If your storage solution is cloud-based, what are the ingress and egress charges to store and pull the data? This can be costly depending on how you configure your storage solution. You’ll also need someone to manage this solution, which can be complex.
You can increase the retention by upgrading your Microsoft 365 licensing to a tier that gives you longer retention. Advanced Audit, also called Microsoft Purview Audit Premium, is available for organizations with an Office 365 E5, A5, G5 or Microsoft 365 Enterprise G5, A5, E5 license. This enables organizations to retain audit logs in Exchange, SharePoint and Azure AD audit records for one year by default. It also includes an Audit log search tool, which provides access to certain audit records to help determine the scope of an incident.
You will also need to define a log retention policy within the Compliance Admin Center for this to take effect. Additionally, there is a 10 year add-on that Microsoft offers to cover more industry specific use-cases.
Using a SIEM to collect, parse, and retain these logs for you is typically the easiest option for smaller, resource-strapped teams. However, it’s important to choose the right vendor, since many SIEMs require additional infrastructure and licensing for longer retention periods. This can get costly, especially if the vendor charges based on log ingestion.
It’s important to look for a solution that offers a flat fee and retains at least one year of data by default, such as Blumira.
Blumira can help you achieve your Microsoft 365 audit log collection and retention goals. It’s simple and easy to get started with the native API integration, Blumira requires only read permissions to the Office 365 Management API to begin ingesting Microsoft 365 logs and takes about 5 to 10 minutes to get started.
However, Blumira is much more than a way to retain Microsoft logs. As a cloud-based detection and response platform, Blumira does things differently by providing more value for better security outcomes, including:
Blumira’s free edition integrates directly with your Microsoft 365 tenant to detect suspicious activity in your environment — at no cost. Get your free account and see the value of Blumira today.