Follow me on Twitter @AntonioMaio2

Monday, April 10, 2017

Office 365 Audit Log Data - How long are my logs retained for?

I'm a big fan of the Unified Audit Log in Office 365. Its a fantastic tool for monitoring user activity for suspicious behavior, getting automated alerts when particular activities occur and investigating data breaches. I'm talking about the central logging facility within Office 365 that collects log data from many Office 365 workloads, and can be searched in the Office 365 Security and Compliance Center: Go to https://protection.office.com > Click Search & Investigate > Click Audit Log Search.

I often get asked the question, how long are Office 365 log entries stored or retained for? There are several answers...


Office 365 Unified Audit Log

Microsoft has stated that audit log entries in the Unified Audit Log are stored for 90 days.

As an admin, you cannot modify this retention period. Once the age of any log entry passes 90 days, it's supposed to be purged from the log. However, I've tested this on several occasions and found that log entries can still be found in the system after the 90 day mark, as in the following example to the right.

Notice in the screenshot, the current date is April 8, 2017 but there are log entries showing up from the week of Dec 5, 2016.


Exchange Online Mailbox Audit Entries

The Unified Audit Log does not include Exchange mailbox data unless you enable Exchange Mailbox Auditing for each mailbox in your tenant. This can only be done through PowerShell. Here is an example of a simple script that you can use to enable mailbox auditing on all mailboxes in your tenant and configure a few useful settings:

#retrieve mailboxes for all users
$mailboxes = get-mailbox

foreach($mailbox in $mailboxes)
{
if($mailbox.AuditEnabled -eq $false)
{
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditEnabled $true -AuditLogAgeLimit 90
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
Set-Mailbox -identity $mailbox.UserPrincipalName -AuditDelegate Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update
}
}

Once enabled, Exchange Online mailbox audit data is retained by default for 90 days.

Notice the parameter used in the 7th line of my script: -AuditLogAgeLimit. This parameter is the number of days that Exchange mailbox audit data is retained for. The way Exchange mailbox auditing works is that Exchange Online actually stores audit log data for a particular mailbox within the mailbox itself, in a hidden folder. There is a background synchronization process which transfers this log data multiple times per day from Exchange Online to the Office 365 Unified Audit Log - mailbox audit events are transferred to the unified audit log every 30 minutes. In this PowerShell example, I'm setting that parameter to 90 days, which is the default setting. However, you can set it higher - to 180 days for example. Although the Unified Audit Log is supposed to purge data after 90 days, audit data in Exchange Online mailboxes will be retained longer if you set this parameter higher.

You can search mailbox audit data through the Office 365 Unified Audit Log, but you can also search mailbox audit data specifically using the following PowerShell:

Search-MailboxAuditLog

Advanced Security Management (ASM)

If you have an E5 license or you have the Advanced Security Management license add-on, then ASM will subscribe to the unified audit log and transfer audit log data from Office 365 to its associated Azure instance. You cannot access this Azure instance because its used internally by ASM, however you can search audit log entries in ASM by using its audit log UX. To start this audit log transfer process, the first time you access ASM you'll be asked to select a checkbox labeled "Turn on Advanced Security Management in Office 365" and click the "Go to Advanced Security Management" button.

The audit log entries within ASM start with log data transferred from the Office 365 unified audit log. However, they are enhanced with heuristics, with data from the Microsoft Intelligent Security Graph, with IP address ranges and user groups that you identify in ASM, and finally with data that's collected as you manage ASM Alerts.

Advanced Security Management will retain this audit log data for 6 months.

Other Options

If you need to retain audit log data for longer periods of time, there are other options available:
  • You can download log data from the Unified Audit Log using PowerShell: Search-UnifiedAuditLog. You can run a script calling this command for the current day, on a daily basis scheduled using a Windows scheduled task, and store the resulting log file on premise for as long as you want.
  • You can use the PowerShell cmdlet mentioned to download audit log data daily and integrated it into an on premise SEIM solution.
  • You can subscribe to one of several hosted solutions which integrate with the Office 365 Unified Audit Log and store audit log entries longer term. An example of one of these solutions is Microsoft Operations Management Suite. This solution will subscribe to the Unified Audit Log in your tenant using the Management Activity API and it will store entries for as long as you wish. You can get more information on this integration here: Microsoft Operations Management Suite with Office 365.

More Information...

Microsoft documentation on searching the Office 365 Unified Audit Log can be found here: Search the audit log in the Office 365 Security & Compliance Center.

You can find more information on Advanced Security Management on this blog at this series of articles:

Enjoy.
-Antonio

53 comments:

  1. Antonio,

    Great presentation at SharePoint Saturday NYC.
    I'm the one who questioned the 90 day maxiumum retention period for the Unified Audit Log in Office 365.

    It appears that the PowerShell cmdlt auditLogTrimmingRentention parameter = no. of days accepts values up to 2,147,483,647 days, or just over 58796 centuries.
    So a measly value of 7 years or 2520 shouldn't be much.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/1cd8d0e1-82f7-4472-be77-de02ded1ebf0/sharepoint-2013-audit-log-and-max-period-for-retention?forum=sharepointgeneral

    It appears to be available with SharePoint 2013 on-premises.
    http://sharepoint-works.blogspot.com/2013/07/audit-logging-in-sharepoint-2013.html

    -Oliver Sawtelle

    ReplyDelete
  2. In many cases, entities and/or their agents don't adhere to this methodology.independent auditing services uk

    ReplyDelete
  3. Nice post.Thank you so much for explaining about TrustShare point.This article very helpful for all people.Thank you for sharing.. Fixed Assets Audit
    Compliance Audit

    ReplyDelete
  4. Amazing post. Keep it up. Much thanks to you such an incredible sum for sharing your beneficial blog. Duplicate Payment Review | Continuous Transaction Monitoring | Duplicate Payment Recovery

    ReplyDelete
  5. Your work is totally appreciative and informative.
    filing cabinet

    ReplyDelete
  6. If I had to choose between resting and reading this blog, I’d definitely go with this blog.Mac trash bin data recovery

    ReplyDelete
  7. I wish to show thanks to you just for bailing me out of this particular trouble. As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.company setup in dubai

    ReplyDelete
  8. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. Odzyskiwanie danych Łódź

    ReplyDelete
  9. This is a smart blog. I mean it. You have so much knowledge about this issue, and so much passion. You also know how to make people rally behind it, obviously from the responses. odzyskiwanie danych Warszawa

    ReplyDelete
  10. This comment has been removed by the author.

    ReplyDelete
  11. Thanks for a useful guide on backup creation ---

    ReplyDelete
  12. Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts, have a nice weekend!auditors in dubai

    ReplyDelete
  13. This is a brilliant blog! I'm very happy with the comments!.. RV campgrounds Lake Buchanan

    ReplyDelete
  14. Telecommuting, where you work at home rather than go into the office, has had a bad press in the past. Many businesses, including SMEs, weren't too sure about it, after all there's no telling how productive someone is going to be if they are not under direct supervision org chart templates

    ReplyDelete
  15. When replacing it, open the process unit cover. Copy Machine

    ReplyDelete
  16. Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle. netsuite data entry

    ReplyDelete
  17. vat consultancy services in uae
    About VAT the Value Added Tax was introduced in the UAE on 1 january 2018.

    ReplyDelete
  18. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. bookkeeping data entry

    ReplyDelete
  19. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

    ReplyDelete
  20. They are outsourcing simply because they want to do their main activity with an increase of perfection. Higher Efficiency: If your staff is free of routine and uninteresting procedure for entering information, they are able to deliver better result. quickbooks data entry

    ReplyDelete
  21. very interesting post.this is my first time visit here.i found so mmany interesting stuff in your blog especially its discussion..thanks for the post! https://europa-road.eu/hu/kombajn-szallitas-torokszentmiklos.php

    ReplyDelete
  22. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! shipping and receiving data entry

    ReplyDelete
  23. Is the arrangement guaranteed by SAP? This will be a decent sign for the merchant's devotion to this item. besimple.com/

    ReplyDelete
  24. Independent Escorts in Mumbai ( Sneha Singh )
    These prostitutes are so inviting that you just can conversation to them around anything in this world. Being persistent and caring, they will be all ears when it comes to sharing your issues or distresses that have been frequenting your intellect.
    Check the link for more information:-
    ahmednagar-escorts
    akola-escorts
    amravati-escorts
    aurangabad-escorts

    ReplyDelete
  25. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. Rubbish removal wolverhampton

    ReplyDelete
  26. Thank you of this blog. That’s all I’m able to say. You definitely have made this web site into an item thats attention opening in addition to important. You definitely know a great deal of about the niche, youve covered a multitude of bases. Great stuff from this the main internet. All over again, thank you for the blog. buy bank logs

    ReplyDelete
  27. Essentially, it is unthinkable on the grounds that any service is the interaction and it is difficult to refute that something was. IT company Hamilton

    ReplyDelete
  28. It's acceptable to check this sort of site. I figure I would such a great amount from you.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  29. This would be the appropriate blog for anybody who really wants to find out about this topic. You are aware of so much its practically difficult to argue with you (not too I really would want…HaHa). You certainly put a brand new spin on the topic thats been revealed for years. Excellent stuff, just excellent! brand name suggestions

    ReplyDelete
  30. bp doctor 3.0 pro wearable blood pressure smartwatch If you want to find an accurate fitness tracker, just try this smartwatch.

    ReplyDelete
  31. A physical recovery actually requires the hard drive to undergo some type of repair before the actual data recovery process can begin. Melbourne Data recovery

    ReplyDelete
  32. Experts can sort out and pack your stuff in a viable way. Then again, in the event that you pack your stuff yourself, you will face the challenge of harming your significant things.man with a van hackney

    ReplyDelete
  33. I just thought it may be an idea to post incase anyone else was having problems researching but I am a little unsure if I am allowed to put names and addresses on here. niche relevant

    ReplyDelete
  34. Freight Squirrel offers a freight audit software solution that completes the entire freight auditing process in seconds! It's the perfect freight auditing solution for e-commerce companies. They simply log in to the dashboard, upload their courier invoice and freight system CVS, and input the consignment number, weight, and volume of their shipment. The software does the rest. freight auditing tool

    ReplyDelete
  35. You want to get audit services for your business, you can visit Bigbracketuae for the best auditing and financial

    ReplyDelete
  36. Need a Perfect Business Center in Dubai? Get ready-to-move-in & serviced offices with Spider Business Center. Find here the Best Business Centers in dubai, UAE, cheapest business center for rent on Sheikh Zayed Road.

    ReplyDelete
  37. Choosing the right real estate investing program is one of the most important decisions you can make as a real estate investor.small industrial space for rent

    ReplyDelete
  38. I love reading meaningful and valid information. I found good info on your blog; you are indeed a great webmaster. Keep posting. best kajal in india

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. This comment has been removed by the author.

    ReplyDelete
  41. This comment has been removed by the author.

    ReplyDelete
  42. This comment has been removed by the author.

    ReplyDelete
  43. бесплатные игровые автоматы, казино вулкан играть онлайн https://vulkanvegas.company/ru. Щедрые бонусы и регулярные акции для новичков.

    ReplyDelete