Follow me on Twitter @AntonioMaio2

Monday, April 10, 2017

Office 365 Audit Log Data - How long are my logs retained for?

I'm a big fan of the Unified Audit Log in Office 365. Its a fantastic tool for monitoring user activity for suspicious behavior, getting automated alerts when particular activities occur and investigating data breaches. I'm talking about the central logging facility within Office 365 that collects log data from many Office 365 workloads, and can be searched in the Office 365 Security and Compliance Center: Go to https://protection.office.com > Click Search & Investigate > Click Audit Log Search.

I often get asked the question, how long are Office 365 log entries stored or retained for? There are several answers...


Office 365 Unified Audit Log

Microsoft has stated that audit log entries in the Unified Audit Log are stored for 90 days.

As an admin, you cannot modify this retention period. Once the age of any log entry passes 90 days, it's supposed to be purged from the log. However, I've tested this on several occasions and found that log entries can still be found in the system after the 90 day mark, as in the following example to the right.

Notice in the screenshot, the current date is April 8, 2017 but there are log entries showing up from the week of Dec 5, 2016.


Exchange Online Mailbox Audit Entries

The Unified Audit Log does not include Exchange mailbox data unless you enable Exchange Mailbox Auditing for each mailbox in your tenant. This can only be done through PowerShell. Here is an example of a simple script that you can use to enable mailbox auditing on all mailboxes in your tenant and configure a few useful settings:

#retrieve mailboxes for all users
$mailboxes = get-mailbox

foreach($mailbox in $mailboxes)
{
if($mailbox.AuditEnabled -eq $false)
{
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditEnabled $true -AuditLogAgeLimit 90
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
}
}

Once enabled, Exchange Online mailbox audit data is retained by default for 90 days.

Notice the parameter used in the 7th line of my script: -AuditLogAgeLimit. This parameter is the number of days that Exchange mailbox audit data is retained for. The way Exchange mailbox auditing works is that Exchange Online actually stores audit log data for a particular mailbox within the mailbox itself, in a hidden folder. There is a background synchronization process which transfers this log data multiple times per day from Exchange Online to the Office 365 Unified Audit Log - mailbox audit events are transferred to the unified audit log every 30 minutes. In this PowerShell example, I'm setting that parameter to 90 days, which is the default setting. However, you can set it higher - to 180 days for example. Although the Unified Audit Log is supposed to purge data after 90 days, audit data in Exchange Online mailboxes will be retained longer if you set this parameter higher.

You can search mailbox audit data through the Office 365 Unified Audit Log, but you can also search mailbox audit data specifically using the following PowerShell:

Search-MailboxAuditLog

Advanced Security Management (ASM)

If you have an E5 license or you have the Advanced Security Management license add-on, then ASM will subscribe to the unified audit log and transfer audit log data from Office 365 to its associated Azure instance. You cannot access this Azure instance because its used internally by ASM, however you can search audit log entries in ASM by using its audit log UX. To start this audit log transfer process, the first time you access ASM you'll be asked to select a checkbox labeled "Turn on Advanced Security Management in Office 365" and click the "Go to Advanced Security Management" button.

The audit log entries within ASM start with log data transferred from the Office 365 unified audit log. However, they are enhanced with heuristics, with data from the Microsoft Intelligent Security Graph, with IP address ranges and user groups that you identify in ASM, and finally with data that's collected as you manage ASM Alerts.

Advanced Security Management will retain this audit log data for 6 months.

Other Options

If you need to retain audit log data for longer periods of time, there are other options available:
  • You can download log data from the Unified Audit Log using PowerShell: Search-UnifiedAuditLog. You can run a script calling this command for the current day, on a daily basis scheduled using a Windows scheduled task, and store the resulting log file on premise for as long as you want.
  • You can use the PowerShell cmdlet mentioned to download audit log data daily and integrated it into an on premise SEIM solution.
  • You can subscribe to one of several hosted solutions which integrate with the Office 365 Unified Audit Log and store audit log entries longer term. An example of one of these solutions is Microsoft Operations Management Suite. This solution will subscribe to the Unified Audit Log in your tenant using the Management Activity API and it will store entries for as long as you wish. You can get more information on this integration here: Microsoft Operations Management Suite with Office 365.

More Information...

Microsoft documentation on searching the Office 365 Unified Audit Log can be found here: Search the audit log in the Office 365 Security & Compliance Center.

You can find more information on Advanced Security Management on this blog at this series of articles:

Enjoy.
-Antonio

4 comments:

  1. Antonio,

    Great presentation at SharePoint Saturday NYC.
    I'm the one who questioned the 90 day maxiumum retention period for the Unified Audit Log in Office 365.

    It appears that the PowerShell cmdlt auditLogTrimmingRentention parameter = no. of days accepts values up to 2,147,483,647 days, or just over 58796 centuries.
    So a measly value of 7 years or 2520 shouldn't be much.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1cd8d0e1-82f7-4472-be77-de02ded1ebf0/sharepoint-2013-audit-log-and-max-period-for-retention?forum=sharepointgeneral

    It appears to be available with SharePoint 2013 on-premises.
    http://sharepoint-works.blogspot.com/2013/07/audit-logging-in-sharepoint-2013.html

    -Oliver Sawtelle

    ReplyDelete
  2. Long Description Riskonnect is the trusted, preferred source of Integrated Risk Management technology, offering a growing suite of solutions on a world-class cloud computing model that enable clients to elevate their programs for management of all risks across the enterprise. Riskonnect allows organizations to holistically understand, manage and control risks, positively affecting shareholder value Compliance solutions

    ReplyDelete
  3. nice post! I really like and appreciate your work, thank you for sharing such a useful information about auditing management strategies, keep updating the information, hear i prefer some more information about jobs for your career hr jobs in hyderabad .

    ReplyDelete