Control 8.15 : Logging

Summary

Logs that record activities, exceptions, faults and other relevant events should be produced, kept and periodically reviewed. This provides the digital paper trail necessary for security monitoring, incident investigation, and regulatory audit.

Applicability

In-Scope: Mandatory for all organizations. Logging is the foundation of detection and forensic analysis; without logs, it is impossible to know what occurred during a security incident.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Unified Audit Log: Ensure that the Microsoft 365 Unified Audit Log is enabled to capture user and admin activities across all services (Teams, SharePoint, Exchange).
Sentinel Integration: Stream all critical logs into Microsoft Sentinel (SIEM) for centralized storage, long-term retention, and automated threat detection.
Log Protection: Configure Azure Monitor to store logs in a Write Once, Read Many state to ensure they cannot be modified or deleted by an attacker trying to hide their tracks.

Evidence Checklist

Logging Policy: Documented requirements for which events must be logged and how long those logs must be retained.
Sample Logs: Excerpts from the audit logs showing successful and failed login attempts, administrative changes, and data access.
Review Records: Evidence of periodic reviews of system logs to identify unusual or suspicious activity.

Practical Audit Advice

Here are some questions the auditor might ask:

How do you ensure that logs are protected from being tampered with or deleted by a user with administrative privileges?
What is the organization's log retention period, and does it meet the requirements for forensic investigations (typically 90 days or more)?
How are high-risk events (like the creation of a new Global Admin) flagged for immediate review?
Can you demonstrate how you would search the logs to identify all actions taken by a specific user during a specific 24-hour window?