Unified audit log enabled + streamed to SIEM
Demonstrate that unified audit logging is enabled across all relevant cloud services and that audit events are continuously streamed to an independent SIEM platform for monitoring and retention.
Description
What this control does
This control ensures that the unified audit log in Microsoft 365 (or equivalent cloud tenant logging service) is enabled and configured to capture user, admin, and system activities across all services. Logs must be streamed in near real-time to a Security Information and Event Management (SIEM) system for centralized monitoring, correlation, and long-term retention. This enables detection of suspicious activities, compliance reporting, and forensic investigation by consolidating audit events outside the tenant environment where they cannot be tampered with by privileged insiders.
Control objective
What auditing this proves
Demonstrate that unified audit logging is enabled across all relevant cloud services and that audit events are continuously streamed to an independent SIEM platform for monitoring and retention.
Associated risks
Risks this control addresses
- Insider threat actions (privilege escalation, data exfiltration, unauthorized access) go undetected due to lack of centralized visibility
- Attacker with compromised admin credentials disables or deletes audit logs within the tenant to cover tracks
- Regulatory non-compliance due to insufficient audit trail retention or inability to produce evidence during investigations
- Delayed incident response because security team lacks real-time alerting on suspicious authentication or data access events
- Forensic investigation failure when logs are not available beyond the cloud provider's default retention period
- Lateral movement and account compromise remain undetected due to lack of cross-service activity correlation
Testing procedure
How an auditor verifies this control
- Access the Microsoft 365 Compliance Center (or equivalent cloud admin console) and navigate to audit log configuration settings.
- Verify that unified audit logging is enabled at the tenant level and confirm the scope includes all critical services (Exchange, SharePoint, OneDrive, Azure AD, Teams).
- Review the SIEM integration configuration to identify the method used for log forwarding (e.g., API connector, Azure Event Hub, native integration).
- Obtain evidence of active log streaming by querying the SIEM for recent audit events from the cloud tenant within the past 24 hours.
- Select a sample of 10–15 recent administrative actions from the cloud audit log and verify each corresponding event exists in the SIEM with matching timestamps and details.
- Review SIEM retention policies and confirm audit logs are retained for the required compliance period (typically 1–7 years depending on regulatory obligations).
- Test alerting functionality by reviewing a recent alert triggered by a high-risk event (e.g., privileged role assignment, mass file deletion) and confirm the alert was generated from streamed audit data.
- Interview the security operations team to confirm they monitor and respond to alerts derived from the unified audit log stream.
Where this control is tested