Field note
Audit Logs and Evidence: What to Capture Before Assessment Week
The best evidence packs are built before anyone is under pressure. When logs, exports, and ownership are already in place, assessment work becomes a review exercise instead of a scramble.
Security teams often treat evidence like admin overhead. That is a mistake.
In Microsoft 365, evidence is part of the control. If you cannot show who had access, what changed, when it changed, and what the tenant was doing at the time, you are left arguing from memory. That gets messy fast during an assessment, a customer review, or an incident.
The good news is that Microsoft 365 gives you more native logging than many teams realise. Microsoft says Purview Audit Standard is enabled by default for supported organisations, and standard audit records are retained for 180 days. Mailbox auditing is also on by default in Microsoft 365 organisations. That gives you a decent base, as long as you know what to pull and who owns it.
The evidence pack I would build first
Keep it small and useful.
| Area | Evidence to capture |
|---|---|
| Identity | Admin role membership, Conditional Access state, key sign-in findings |
| Mailbox forwarding checks, mailbox audit hits where relevant, message trace for investigations | |
| Devices | Intune compliance view, update visibility, Defender coverage |
| Collaboration | Guest access controls, external sharing settings, notable exceptions |
| Audit | Purview Audit searches and exported CSV where needed |
The point is not to export everything. The point is to know where proof comes from before you need it.
What makes evidence credible
These rules are simple, but they save a lot of pain:
- Put a date on every export.
- Record the tenant and scope.
- Keep the search criteria or command used.
- Note the owner of the control.
- Explain exceptions in plain language.
That last one matters. A dated exception with a named owner is evidence of control. An unexplained gap is just a gap.
Searches worth knowing
For Microsoft 365, a handful of audit lines are regularly useful:
- Sign-in activity around suspicious access.
- Inbox rule and forwarding changes.
- Admin changes to connectors, permissions, or policies.
- File sharing and access activity for a specific user or site.
- Device and incident activity tied to a known timeline.
One practical habit helps here: search broadly first, then narrow down. Microsoft says not to over-filter the initial audit review when investigating a suspected compromise. That is good advice. People often start too narrow and miss the shape of the event.
Where teams still get caught out
The common problems are not exotic:
| Problem | Why it hurts |
|---|---|
| Logs exist but nobody knows how to search them | Time is lost at exactly the wrong moment |
| Mailbox auditing is assumed, not checked | Specific mailbox evidence goes missing when needed |
| Evidence is saved as screenshots only | Harder to review and defend later |
| No retention awareness | By the time someone asks, the useful window may be gone |
| Ownership is vague | Everyone assumes someone else has the export |
That is why I prefer evidence owners per control area. One person for identity, one for mail, one for endpoint, one for collaboration. Not because it is corporate theatre, but because it stops last-minute confusion.
References
Related notes
04 May 2026 · 3 min
Cyber Essentials Plus Endpoint Samples
Related: cyber essentials plus, intune, defender for endpoint.
27 Apr 2026 · 3 min
Cyber Essentials Patch Evidence
Related: cyber essentials plus, patching, intune.
23 Apr 2026 · 3 min
Cyber Essentials MFA Cloud Auto-Fail
Related: cyber essentials plus, mfa, microsoft 365.
Need help mapping this to your own tenant, controls, or assessment timeline?