Auditing and logging

Protect data by maintaining visibility and responding quickly to timely security alerts

Auditing and logging of security-related events, and related alerts, are important components in an effective data protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, as well as internal attacks. You can use auditing to monitor user activity, document regulatory compliance, perform forensic analysis, and more. Alerts provide immediate notification when security events occur.

Microsoft business services and products provide you with configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms and address those gaps to help prevent breaches. Microsoft services offer some (and in some cases, all) of the following options: centralized monitoring, logging, and analysis systems to provide continuous visibility; timely alerts; and reports to help you manage the large amount of information generated by devices and services.

Microsoft Azure log data can be exported to Security Incident and Event Management (SIEM) systems for analysis. And Windows Server 2016 provides basic and advanced security auditing and integrates with third-party auditing solutions.

Secure identity

Configuration of the security auditing features in Microsoft business products and services, along with access to security audit logs, is restricted to administrators. The identities of administrative users are authenticated through Active Directory on Windows Server 2016 or Azure Active Directory in the cloud.

Windows Server 2016 adds support for group membership expiration, which means you can give a user administrative privileges for a limited time (Just in Time administration), as well as limited administrative rights (Just Enough Administration). Azure and Microsoft Office 365 support multifactor authentication in the cloud.

Secure infrastructure

Microsoft provides monitoring and logging technologies to give you maximum visibility into the activity on your cloud-based network, applications, and devices, so you can identify potential security gaps. The ability to collect and analyze such information and filter it to fit your criteria is essential for identifying patterns and trends on your network. If security events do happen, you have access to information to assist you in conducting investigations that are an important part of the incident response process. You can use this data to plan and implement better protection for your infrastructure, with the goal of proactively preventing future incidents and improving security for your resources and data.

Detailed security audit trails are also required for compliance with government and industry regulations.

Microsoft provides many options for auditing and logging security events.

  • Security event logs are customizable to fit your security and reporting needs and can help you keep track of activities that could pose a threat to your virtual machines in the cloud or your systems on-premises.
  • Audit policies define the types of events and users that will be audited.
  • Security alerts are communications—sent through dashboards, email, or other means—that notify you when a security-related event is occurring or has occurred.
  • Export tools can send your data to a third-party SIEM.
  • Third-party monitoring and alerting tools, available from the Azure Marketplace, can enhance the effectiveness of your auditing and reporting.
  • Azure Security Center provides a centralized portal from which you can secure your Azure deployments and prevent, detect, and respond to threats with increased visibility into the security of your Azure resources. Azure Security Center provides focused security recommendations and rapid deployment of integrated partner technologies. It uses behavioral analytics and machine learning for effective threat detection and helps you build an attack timeline for faster remediation.

Learn more about Azure Security Center

Secure apps and data

Microsoft products and services have built-in security features like auditing and logging, which provide visibility into your security events and status.

Expand all

Azure auditing and logging capabilities enable you to:

  • Create an audit trail for applications deployed in Azure and virtual machines created from the Azure Virtual Machines Gallery. Azure enables a set of operating system security events by default. You can add, remove, or modify events to be audited by customizing the audit policy. In addition to generating Windows event logs, you can configure operating system components to generate logs for security analysis and monitoring.

    Learn more about security logging and audit log collection
  • Perform centralized analysis of large data sets by collecting security events from Azure infrastructure as a service (IaaS) and platform as a service (PaaS). You can then use HDInsight to aggregate and analyze these events, and export them to on-premises SIEM systems for ongoing monitoring.

    Learn more about HDInsight
  • Monitor access and usage reporting by taking advantage of Azure logging of administrative operations, including system access, to create an audit trail in case of unauthorized or accidental changes. You can retrieve audit logs for your Azure Active Directory tenant, and view access and usage reports. This helps you gain visibility into the integrity and security of your deployment, and better determine where possible security risks may lie. In the Azure Management Portal, you can view usage and asset reports that include anomalous sign-in events, user-specific reports, and activity logs.

    Learn more about using access and usage reports
  • Export security alerts to on-premises SIEM by using Azure Diagnostics, which can be configured to collect Windows security event logs and other security-specific logs. You can also export this data into a third-party, on-premises SIEM system for analysis and alerting.

    Learn more about enabling Azure Diagnostics
  • Get third-party security monitoring, reporting, and alert tools from the Azure Marketplace, including:

Microsoft Professional Services takes a risk-based approach to logging and auditing its systems. Baseline log requirements are assessed and implemented during development. For systems that present a moderate to high risk—based on sensitivity, volume of data, and other criteria—Microsoft Professional Services logs any access to, and alteration of, data. Logs enable the detection of security incidents that have occurred or are in progress, and give investigators enough information to understand the events and circumstances surrounding an incident, including the name of the employee accessing the data, what was accessed, and when.

You can use database logging to track specific types of changes in Dynamics 365. For example, you can create an auditable record of changes to specific tables that contain sensitive information.

See an auditing overview for Dynamics 365

The key to a secure deployment of computers and mobile devices in an organization is the ability to monitor their status. Intune provides the license status of all devices, as well as a list of actions that can affect them, such as the ability to wipe a device remotely. In addition, Intune provides two ways to monitor devices managed by Intune:

  • Reports help you monitor device status, including software update status, software installed, and compliance. Reports also enable you to review the hardware and software inventory data that Intune collects.
  • Alerts help you monitor the health of devices, including endpoint protection status and warnings about malware, scarcity of disk space, and network connectivity.

Learn more about your Intune device inventory

Office 365 auditing policies enable you to log events, such as viewing, editing, and deleting content like email messages, documents, task lists, issues lists, discussion groups, and calendars. When auditing is enabled as part of an information management policy, you can view reports on audit data and summaries of current usage. You can also use these reports to determine how information is used within the organization, to manage compliance and investigate areas of concern.

For business, legal, or regulatory reasons, you may have to retain email messages sent by (and to) users in your organization. Or, you may want to remove email that you aren't required to retain. Office 365 includes messaging records management technology, so that you can control how long messages stay in users’ mailboxes, and define what happens to these messages after a specified time limit.

Learn more about Office 365 security

With the Azure Audit logs content pack for Power BI, you can analyze and visualize audit logs from Azure services. You can use Power BI to retrieve Azure data, build an out-of-the box dashboard, and create reports based on that data. You can then see all the data in one place and analyze it to gain new insights. You can filter the reports and add fields that you want to monitor. You can also control the refresh timing of the data in the dashboard, which refreshes the underlying reports to give you the most current information.

Learn more about analyzing and visualizing Azure Audit logs by using Power BI

Visual Studio Team Services (Team Services) uses the Azure PaaS infrastructure and many Azure core services, including event logging, access monitoring, usage reporting, Azure Blob Storage, and Azure SQL data storage. Under Azure, activities are logged and real-time alerts detect intrusion.

Team Services also relies on Microsoft Team Foundation Server, which provides data collection, storage of configuration objects, and management and reporting functions for the Visual Studio Integrated Development Environment (IDE). Team Foundation Server logs successful and failed logons and server resource access. It also tracks the history of work items—who opened them, and what changes were made. You can view this information through the web portal or Team Explorer.

Learn more about Team Services logging

Windows Server 2016 builds on the auditing and logging capabilities of previous versions to provide an audit trail of events that occur on the server. In fact, Microsoft now provides its customers with the same auditing and logging capabilities in their environments that we use in our internal Microsoft Security Operations team

You can apply audit policy settings to local files or folders to track access to your data, and you can audit removable drives. You can configure auditing with Group Policy, including an advanced audit policy to configure expression-based auditing, which enables you to specify more specific types of activity to audit. Audit information is written to the Windows Security log and is viewable by administrators in the Event Viewer. We also added more specific subcategories for audit events and sign-in events and included more detailed information to make them easier to analyze.

Learn more about enhanced auditing in Windows Server 2016