Overview of log sources across major cloud platforms
Made by Christian Henriksen, Sagalabs.dk| Source | Contents | Log Name | Note | Default | Retention | Data Volume | Location | Recommended Level | Impact |
|---|---|---|---|---|---|---|---|---|---|
| Purview | Authentication events | unified_audit_log | Records all authentication activity & M365. One of the most valuable logs from Azure. Enabled by default on modern tenants, but may need to be manually enabled on older tenants. | 180 days | High | Security Center > Audit Logs | Enable long-term storage and SIEM integration | Very important | |
| Entra ID | Signin logs | Signin logs | Tracks user sign-in activity | Free: 7 days, P1/P2: 30 days | Medium | Entra ID > Monitoring > Sign-ins | Archive for at least 1 year | Very important | |
| Entra ID | Managed identity sign-ins | managedidentitysigninlogs | Tracks managed identity authentication | Free: 7 days, P1/P2: 30 days | Medium | Entra ID > Monitoring > Sign-ins | Archive for at least 1 year | Very important | |
| Entra ID | Non-interactive user sign-ins | noninteractiveusersigninlogs | Tracks token-based authentication without user interaction, including service principal and app token usage | Free: 7 days, P1/P2: 30 days | Medium | Entra ID > Monitoring > Sign-ins | Archive for at least 1 year | Very important | |
| Entra ID | Service principal sign-ins | serviceprincipalsigninlogs | Tracks authentication by apps and services using service principals (non-user identities) | Free: 7 days, P1/P2: 30 days | Medium | Entra ID > Monitoring > Sign-ins | Archive for at least 1 year | Very important | |
| Entra ID | ADFS sign-ins | ADFSSigninlogs | Tracks sign-ins where Active Directory Federation Services (AD FS) was used as the identity provider. Requires ADFS integration | Free: 7 days, P1/P2: 30 days | Medium | Entra ID > Monitoring > Sign-ins | Archive for at least 1 year | Very important | |
| Entra ID | Tenant wide actions | auditlogs | Records admin actions like app registration | Free: 7 days, P1/P2: 30 days | Low | Entra ID > Monitoring > Audit logs | Archive for at least 1 year | Very important | |
| Subscription | Resource creation/deletion/access | activitylogs | Requires configuration per subscription | 90 days | Very High | Subscription > Activity Log | Archive for at least 90 days | important | |
| Operating System | Windows event logs | WADWindowsEventLogsTable | Requires agent installation on VMs | None | Very High | VM settings > Diagnostics | Configure based on security requirements | important | |
| Operating System | Linux event logs | LinuxSyslogVer20 | Requires agent installation on VMs | None | Very High | VM settings > Diagnostics | Configure based on security requirements | important | |
| Resource | Resource specific events | each resource has its own log | Varies by resource type | None | Very High | Resource > Diagnostic Settings | Enable read logging at minimum | Very important | |
| Resource | StorageRead: Access to storage containers | StorageRead | Configure for each storage container | None | Very High | Storage Account > Diagnostics | Enable read logging at minimum | Very important | |
| Resource | NSG Flow: Network flow logs | networksecuritygroupflowEvent | Configure for each NSG | None | Extremely High | NSG > Diagnostic settings | Archive for at least 30 days | Nice to have |