CISA.MS.EXO.17.3 - Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).
Overviewβ
Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).
Rationale: Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago. OMB M-21-13, Appendix C, Table 5 specifically calls out Unified Audit Logs in the Cloud Azure log category.
Remediation action:β
To create one or more custom audit retention policies, if the default retention policy is not sufficient for agency needs, follow Create an audit log retention policy instructions. Ensure the duration selected in the retention policies is at least one year, in accordance with OMB M-21-31.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.17.3 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAuditLogRetention |
| Tags | CISA, CISA.MS.EXO.17.3, MS.EXO, MS.EXO.17.3 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaAuditLogRetention.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAuditLogRetention.ps1