M365 Auditing Changes and Enhancements, Part 1

[schrolla]

💡 Summary

The M365 unified audit log capability tracks actions taken across many of the M365 services. The log types supported depend on services in use, tenant licensing, and licenses applied to individual users. This epic is built around reviewing existing auditing policies and to determine what updates are feasible and recommended based on both recent service updates and additional audit guidance.

Motivation and context

Auditing is a critical component for monitoring SaaS usage patterns, potential misuse, and detecting threats. Based on the expanded availability of several log types previously only available to Purview Premium and the publication of the Microsoft Expanded Cloud Logs Implementation Playbook, SCuBA baselines should be reviewed and updated to keep pace with these service updates and latest guidance.

Implementation notes

Implementing auditing policy and assessment check enhancements will include:

• Hands-on prototyping to determine the effects of service and policy changes on tenants
• Validating the set of implementation instructions needed to configure new audit settings
• Determining specific set of log types to be configured, if not enabled by default
• Identifying baseline changes to align policy with current best practice guidance and service updates

Acceptance criteria

The following issues are completed

• MS.AAD.4.1v1 centralized log collection policy update determination has been made Revise MS.AAD.4.1v1 Azure AD logs policy based on feedback and pilots #293
• Determined how to add specific log types to unified audit log requirements Investigate enabling audit for additional SharePoint & Exchange actions #308 Review Microsoft unified auditing changes #474
• Baseline adds/changes/removals identified to support findings from audit investigation