Audit log considerations for Australian Government compliance with PSPF
This article provides guidance for Australian Government organizations on the Microsoft 365 audit log. It is intended to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
The Microsoft 365 audit log is a unified logging service that captures events from multiple services and applications across the Microsoft 365 platform. It provides a single location for viewing audit data for Microsoft 365 services such as Exchange Online, SharePoint, OneDrive, Microsoft Teams, Power BI, and more.
The audit log can be used to track user and administrator activity in your organization, including activities relating to sensitivity labeling. For information regarding the Microsoft Purview and Data Loss Prevention (DLP) events that are captured in the audit log, see Microsoft Purview audit log activities via Microsoft 365 Management.
The audit log is important for Microsoft Purview deployments as:
- The audit log retains decisions around who applied labels to items.
- The audit log retains information around label changes, including label change justifications.
- The audit log provides information regarding incoming and outgoing items.
- The audit log provides visibility into events for longer time periods than other reporting locations where Microsoft 365 activities are visible (for example, events are visible in activity explorer for 30 days).
Audit log retention requirements
The need for extended retention is covered under the following ISM requirement:
| Requirement | Detail |
|---|---|
| ISM-0859 (June 2024) | Event logs, excluding those for Domain Name System services and web proxies, are retained for at least seven years. |
The default length of time that audit log data is retained for is tied to the Microsoft 365 licensing level. Organizations with E3 licenses have audit log retention for 90 days. Organizations with E5 licensing have retention for Entra, Exchange Online, OneDrive, and SharePoint are one year.
Audit log retention policies extend retention of audit information for a set of activities. Audit policies can be configured to retain audit information for up to 10 years.
Long-term retention of audit information requires Audit (Premium) licenses. For more information on audit log retention, see auditing solutions in Microsoft Purview.
SIEM Integration
Security Information and Event Management systems (SIEMs) are designed to help organization to detect, analyze, and respond to security threats before they harm business operations. SIEMs ingest log information and provide analysis of events. SIEMs are used to increase velocity of threat detection, support security incident, event management, and compliance.
Microsoft Sentinel is a scalable, cloud-native SIEM that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR). This means Microsoft Purview events ingested into Sentinel (or an equivalent SIEM), are easily analyzed and can produce advanced reports..
For more information on how Sentinel can be configured to ingest Microsoft 365 audit log data, see How to use Office 365 Audit Data with Microsoft Sentinel..