Follow me on Twitter @AntonioMaio2

Monday, April 10, 2017

Office 365 Audit Log Data - How long are my logs retained for?

I'm a big fan of the Unified Audit Log in Office 365. Its a fantastic tool for monitoring user activity for suspicious behavior, getting automated alerts when particular activities occur and investigating data breaches. I'm talking about the central logging facility within Office 365 that collects log data from many Office 365 workloads, and can be searched in the Office 365 Security and Compliance Center: Go to https://protection.office.com > Click Search & Investigate > Click Audit Log Search.

I often get asked the question, how long are Office 365 log entries stored or retained for? There are several answers...


Office 365 Unified Audit Log

Microsoft has stated that audit log entries in the Unified Audit Log are stored for 90 days.

As an admin, you cannot modify this retention period. Once the age of any log entry passes 90 days, it's supposed to be purged from the log. However, I've tested this on several occasions and found that log entries can still be found in the system after the 90 day mark, as in the following example to the right.

Notice in the screenshot, the current date is April 8, 2017 but there are log entries showing up from the week of Dec 5, 2016.


Exchange Online Mailbox Audit Entries

The Unified Audit Log does not include Exchange mailbox data unless you enable Exchange Mailbox Auditing for each mailbox in your tenant. This can only be done through PowerShell. Here is an example of a simple script that you can use to enable mailbox auditing on all mailboxes in your tenant and configure a few useful settings:

#retrieve mailboxes for all users
$mailboxes = get-mailbox

foreach($mailbox in $mailboxes)
{
if($mailbox.AuditEnabled -eq $false)
{
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditEnabled $true -AuditLogAgeLimit 90
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
}
}

Once enabled, Exchange Online mailbox audit data is retained by default for 90 days.

Notice the parameter used in the 7th line of my script: -AuditLogAgeLimit. This parameter is the number of days that Exchange mailbox audit data is retained for. The way Exchange mailbox auditing works is that Exchange Online actually stores audit log data for a particular mailbox within the mailbox itself, in a hidden folder. There is a background synchronization process which transfers this log data multiple times per day from Exchange Online to the Office 365 Unified Audit Log - mailbox audit events are transferred to the unified audit log every 30 minutes. In this PowerShell example, I'm setting that parameter to 90 days, which is the default setting. However, you can set it higher - to 180 days for example. Although the Unified Audit Log is supposed to purge data after 90 days, audit data in Exchange Online mailboxes will be retained longer if you set this parameter higher.

You can search mailbox audit data through the Office 365 Unified Audit Log, but you can also search mailbox audit data specifically using the following PowerShell:

Search-MailboxAuditLog

Advanced Security Management (ASM)

If you have an E5 license or you have the Advanced Security Management license add-on, then ASM will subscribe to the unified audit log and transfer audit log data from Office 365 to its associated Azure instance. You cannot access this Azure instance because its used internally by ASM, however you can search audit log entries in ASM by using its audit log UX. To start this audit log transfer process, the first time you access ASM you'll be asked to select a checkbox labeled "Turn on Advanced Security Management in Office 365" and click the "Go to Advanced Security Management" button.

The audit log entries within ASM start with log data transferred from the Office 365 unified audit log. However, they are enhanced with heuristics, with data from the Microsoft Intelligent Security Graph, with IP address ranges and user groups that you identify in ASM, and finally with data that's collected as you manage ASM Alerts.

Advanced Security Management will retain this audit log data for 6 months.

Other Options

If you need to retain audit log data for longer periods of time, there are other options available:
  • You can download log data from the Unified Audit Log using PowerShell: Search-UnifiedAuditLog. You can run a script calling this command for the current day, on a daily basis scheduled using a Windows scheduled task, and store the resulting log file on premise for as long as you want.
  • You can use the PowerShell cmdlet mentioned to download audit log data daily and integrated it into an on premise SEIM solution.
  • You can subscribe to one of several hosted solutions which integrate with the Office 365 Unified Audit Log and store audit log entries longer term. An example of one of these solutions is Microsoft Operations Management Suite. This solution will subscribe to the Unified Audit Log in your tenant using the Management Activity API and it will store entries for as long as you wish. You can get more information on this integration here: Microsoft Operations Management Suite with Office 365.

More Information...

Microsoft documentation on searching the Office 365 Unified Audit Log can be found here: Search the audit log in the Office 365 Security & Compliance Center.

You can find more information on Advanced Security Management on this blog at this series of articles:

Enjoy.
-Antonio

56 comments:

  1. Antonio,

    Great presentation at SharePoint Saturday NYC.
    I'm the one who questioned the 90 day maxiumum retention period for the Unified Audit Log in Office 365.

    It appears that the PowerShell cmdlt auditLogTrimmingRentention parameter = no. of days accepts values up to 2,147,483,647 days, or just over 58796 centuries.
    So a measly value of 7 years or 2520 shouldn't be much.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1cd8d0e1-82f7-4472-be77-de02ded1ebf0/sharepoint-2013-audit-log-and-max-period-for-retention?forum=sharepointgeneral

    It appears to be available with SharePoint 2013 on-premises.
    http://sharepoint-works.blogspot.com/2013/07/audit-logging-in-sharepoint-2013.html

    -Oliver Sawtelle

    ReplyDelete
  2. Long Description Riskonnect is the trusted, preferred source of Integrated Risk Management technology, offering a growing suite of solutions on a world-class cloud computing model that enable clients to elevate their programs for management of all risks across the enterprise. Riskonnect allows organizations to holistically understand, manage and control risks, positively affecting shareholder value Compliance solutions

    ReplyDelete
  3. nice post! I really like and appreciate your work, thank you for sharing such a useful information about auditing management strategies, keep updating the information, hear i prefer some more information about jobs for your career hr jobs in hyderabad .

    ReplyDelete
  4. In many cases, entities and/or their agents don't adhere to this methodology.independent auditing services uk

    ReplyDelete
  5. Nice post.Thank you so much for explaining about TrustShare point.This article very helpful for all people.Thank you for sharing.. Fixed Assets Audit
    Compliance Audit

    ReplyDelete
  6. Amazing post. Keep it up. Much thanks to you such an incredible sum for sharing your beneficial blog. Duplicate Payment Review | Continuous Transaction Monitoring | Duplicate Payment Recovery

    ReplyDelete
  7. Your work is totally appreciative and informative.
    filing cabinet

    ReplyDelete
  8. Thanks for sharing useful information about Sharepoint online training
    Sharepoint online training in Hyderabad

    ReplyDelete
  9. If I had to choose between resting and reading this blog, I’d definitely go with this blog.Mac trash bin data recovery

    ReplyDelete
  10. I wish to show thanks to you just for bailing me out of this particular trouble. As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.company setup in dubai

    ReplyDelete
  11. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. Odzyskiwanie danych Łódź

    ReplyDelete
  12. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. odzyskiwanie danych Warszawa

    ReplyDelete
  13. A bewildering web journal I visit this blog, it's unfathomably heavenly. Oddly, in this present blog's substance made purpose of actuality and reasonable. The substance of data is informative
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Thanks for a useful guide on backup creation ---

    ReplyDelete
  16. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts, have a nice weekend!auditors in dubai

    ReplyDelete
  17. This is a brilliant blog! I'm very happy with the comments!.. RV campgrounds Lake Buchanan

    ReplyDelete
  18. Telecommuting, where you work at home rather than go into the office, has had a bad press in the past. Many businesses, including SMEs, weren't too sure about it, after all there's no telling how productive someone is going to be if they are not under direct supervision org chart templates

    ReplyDelete
  19. When replacing it, open the process unit cover. Copy Machine

    ReplyDelete
  20. Thanks for a great tips, This would be a different idea from the routine tips. As an ISO 9001 certified company with over 30 years international experience in accounting, VAT and technology, we have the unique capabilities to ensure you are fully compliant to the UAE legislation. See our range of articles, white papers and learning resources and self-study material to learn accounting, VAT and taxation at your own pace

    ReplyDelete
  21. Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle. netsuite data entry

    ReplyDelete
  22. I am really happy with your blog because your article is very unique and powerful for new reader.Prefer to study this kind of material. Nicely written information in this post,the quality of content is fine and the conclusion is lovely. Things are very open and intensely clear explanation of issues. PHP Training in Chennai | Certification | Online Training Course | Machine Learning Training in Chennai | Certification | Online Training Course | iOT Training in Chennai | Certification | Online Training Course | Blockchain Training in Chennai | Certification | Online Training Course | Open Stack Training in Chennai |
    Certification | Online Training Course

    ReplyDelete
  23. Nice Blog, Thanks for sharing

    auditing company in uae
    Today the associations are continually being tried to diminish the costs, most of working uses and various requirements.

    ReplyDelete
  24. Management Consultancy UAE
    The officials is a strategy of masterminding, dynamic, sifting through, driving, motivation and controlling the HR, cash related, physical and information resources of a relationship to each it targets capably and feasibly.

    ReplyDelete
  25. accounting companies in uae
    Accounting is known as the language of business. It is amazingly fundamental bit of an every business firms.

    ReplyDelete
  26. vat consultancy services in uae
    About VAT the Value Added Tax was introduced in the UAE on 1 january 2018.

    ReplyDelete
  27. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. bookkeeping data entry

    ReplyDelete
  28. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

    ReplyDelete
  29. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

    ReplyDelete
  30. very interesting post.this is my first time visit here.i found so mmany interesting stuff in your blog especially its discussion..thanks for the post! https://europa-road.eu/hu/kombajn-szallitas-torokszentmiklos.php

    ReplyDelete
  31. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! shipping and receiving data entry

    ReplyDelete