Skip to the main content.

Our client portal provides all the tools you need to create, view or update your support requests. 

For urgent IT support during business hours, or if you suspect anything suspicious call  01314528444 for the fastest response.

If one of our team has asked you to start a remote control session on your computer, use the remote control menu option above.

Facebook Instagram Linkedin X

4 min read

Comprehensive IT logging solutions can save the day

Alastair Struthers Originally posted on July 21, 2025
Last updated on July 25, 2025

How do you identify when someone's gained access to your company's systems? And how do you unpick what they did?


Logging is a vitally important aspect of IT that many people overlook. Until recently, logging has primarily been used to unpick what happened after a cyber attack, but with modern tools, logs can be monitored in real time to identify attacks as they happen, or even catch them when they're still being set up, allowing you to stop them in their tracks.

What is a log?

an image of miniature plastic model workmen hand carving computer code into a huge wooden log White backgroundIn the context of IT, a log is a record of events that occur within a computer system or network.

Logs are files that capture a wide array of data points, such as user activity, system performance, and security incidents.

These records are crucial for monitoring, troubleshooting, and ensuring the security of IT environments.



Who needs logs?

Logs are essential for a variety of stakeholders within an organisation. IT administrators rely on logs to monitor system performance and diagnose issues. Security teams use logs to detect and investigate potential breaches or malicious activities. Compliance officers need logs to ensure that the organisation adheres to regulatory requirements.

Additionally, business executives may review logs through a platform like Microsoft's Viva Insights to gain insights into operational efficiency and to make informed decisions.

Essentially, anyone involved in maintaining, securing, or optimising IT infrastructure can benefit from comprehensive logging.

What logs should be kept?

The types of logs that should be kept can vary depending on the organisation's needs and regulatory requirements. However, some common types of logs include:

1. Login attempts: Monitoring successful and failed login attempts helps in identifying unauthorised access attempts and potential brute-force attacks.

2. File access: Keeping track of who accessed, modified, or deleted files is crucial for data integrity and security.

3. Software installs: Logs of software installations can help in managing software licenses and ensuring that only authorised software is installed.

4. Network traffic: Monitoring network traffic logs can help in identifying unusual or malicious activities within the network.

5. Denial of access: Logs of denied access attempts can provide insights into potential security threats and help in refining access control policies.

Why are logs important BEFORE a cyber attack?

With the advent of AI-powered analytics, IT logs have transformed from passive records into proactive security tools.

Services called SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) have been developed to continuously analyse logs in real time, and detect unusual patterns or deviations from established user and system behaviours, such as unexpected access times, unusual data transfers, or irregular login locations.

Together, this intelligent monitoring enables organisations to quickly spot subtle indicators of a potential breach or the early stages of a cyber attack, often before any damage occurs.

Automated alerts and response mechanisms can be triggered in response to suspicious activity, halting threats in their tracks.

IT teams can use these logs to identify, and subsequently close any holes that allowed the attempted attack in the first place.

It's also worth noting that logging my be required to comply with regulatory reporting requirements around security incidents i certain industries, or to qualify for insurance.

By leveraging comprehensive logging and AI-driven insights, businesses can shift from reacting to attacks after the fact to actively preventing them, significantly boosting their overall cyber resilience. 

Why are logs important AFTER a cyber attack?

please create an image of miniature plastic model detectives like sherlock holmes inspecting a wooden log with computer code carved into it using magnifying glasses White background Close focus-3After a cyber attack, logs become a critical resource for understanding what happened. They can provide detailed timelines of the attack, showing exactly how the cybercriminals gained access and what actions they took once inside the system.

By scouring the logs after an event, companies can:

  • Identify the scope of the attack. This is particularly useful in corroborating (or disproving) claims that an attacker has stolen data and is going to release it. Logs can prove pretty conclusively when data has, or hasn't been exfiltrated (stolen!) from your systems.
  • Identify the vulnerabilities exploited or the method used to access a system (unpatched software, social engineering, etc), which means that IT teams can address those with better security, better processes, or training.
  • Aid with insurance investigations after an incident. Sometimes insurance companies make logging a requirement of cover, so without it, your policy may not be valid (it's worth checking your cyber insurance cover to make sure you are complying with all of its requirements.)
  • Aid with legal or criminal investigations resulting from breaches.

What logging does Microsoft provide?

Microsoft offers logging capabilities that can help organisations monitor and secure their environments. It provides logs for a wide range of activities, including:

  • Audit Logs (user and admin activity across services like Exchange, SharePoint, Teams, Azure AD)
  • Sign-in Logs (Azure AD sign-in activity)
  • Provisioning Logs – (Automated identity provisioning events (e.g., from HR systems))
  • Mailbox Audit Logs (email access and actions)
  • Compliance Logs (eDiscovery, DLP, retention, etc.)

There are two main areas of logging in the Microsoft environment:

  1. Microsoft 365 Logging
  2. Microsoft Entra ID logging

The primary difference between the two is that Microsoft 365 logs cover broad service activity (e.g., file access, mailbox actions, Teams usage), while Entra ID logs are more identity and access-focused.

The retention period for logs varies with the licences that you use but generally Microsoft 365 logs are retained for 90 days on most business licences.

Azure logs retentions are a bit more complicated. 

To get any sort of useful functionality from these logs, you need at least an Entra P1 licence, which is included within Business Premium. The various retention periods for logs are shown below for the three standard tiers of Entra ID licences.

Microsoft Entra ID logging options
License Entra Sign-in Logs Entra Audit Logs Microsoft Authentication Logs Risky Sign-in Logs
Free (e.g., F3, Business Basic) 7 days 7 days 90 days 7 days
P1 (e.g., Business Premium) 30 days 30 days 90 days 30 days
P2 (e.g., E5) 30 days (extendable) 30 days (extendable) 30 days (extendable) 90 days

 

Third-Party SIEM & SOAR Solutions

While Microsoft 365 provides comprehensive logging capabilities, integrating third-party SIEM solutions can offer additional benefits.

Third-party SIEM solutions can aggregate logs from various sources, including on-premises systems, cloud services, and network devices, giving a much more comprehensive overview of your digital world and helping identify threats no matter where they are.

SOAR solutions can sit on top of this and make use of these logs in real time. By monitoring logs for changes in behaviour, they can identify abnormalities that may indicate a compromise of your systems or even a single user account. SOAR systems can then take action by isolating a device, or blocking access to a user account to cut a criminal off before they can do any damage.

It is worth being aware that there are still many cloud services (like Xero) that don't currently integrate with SIEMs. This means that even with the best will in the world, you might not be able to aggregate logs from every source you have just yet.

What next...?

Comprehensive logging is essential for maximising both security and compliance within an organisation. By keeping detailed logs of all relevant activities, organisations can ensure they have the information needed to detect and respond to security incidents promptly.

Additionally, thorough logging helps in meeting regulatory requirements, as many data protection laws mandate the retention of specific types of logs for set periods. Implementing a robust logging strategy, leveraging Microsoft 365's capabilities, and integrating third-party SIEM solutions can provide unparalleled security and compliance benefits.

If you'd like to discuss implementing logging for your business, get in touch with our Edinburgh-based experts who provide IT services across the whole of Scotland.