NEWS: It was announced at Microsoft Ignite 2018 that audit log retention policies can be set for 1 year.
As a disclaimer, this blog is intended to address just Microsoft based systems and environments. This is not a complete approach but an overview of capabilities and functionality available to assist in your overall approach.
The NIST 800-171 Control Family 3.3, entitled "Audit and Accountability", is established to track system activity of all types, maintain records of those activities, and track who is handling those records. For ease of access, I've copied the excerpted section to reference.
Basic Security Requirements3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
3.3.3 Review and update logged events.
3.3.4 Alert in the event of an audit logging process failure.
3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
3.3.7 Provide a system capability that compares and synchronizes internal system clocks with anauthoritative source to generate time stamps for audit records.
3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
The Yin and Yang of 3.3 Audit and Accountability
A Cloud Solution for Security and Compliance Goals... and Your Wallet
- Microsoft is processing 260 Billion "information sources" on a monthly basis in Auditing Services across their client base.
- Auditing Service in Office 365 can monitor and provide "on demand analysis" (3.3.6) for over 900 user operations within your ecosystem of information systems.
- 15+ services, or information systems, are supported by the native Office 365 Auditing Service.
Office 365 GCC Meets Every Requirement in 3.3 Audit and Accountability for Your Microsoft Cloud Enterprise
Wrapping It All Up
For additional details and background on the referenced data points and releases, check out this session from Microsoft Ignite 2018. This blog is one of many to come addressing each control family in NIST 800-171 with an overview of capabilities in Office 365 GCC High. We also hope to partner each of these with a video for those that dislike reading or want the general overview. Shoot us questions if you need specifics or further explanations.