During an incident, the first question is usually “what happened?”—and the second is “do we still have the logs?” If you’ve ever tried to reconstruct a timeline from partial records, you know the pain: a VPN log that rolled over last week, a mailbox audit trail that was never turned on, a firewall that only keeps 7 days of events, and an endpoint that was reimaged before anyone exported telemetry.
Log retention is not a “buy more storage” problem. It’s a strategy problem. You want enough visibility to detect suspicious activity early, investigate decisively when something goes wrong, and satisfy audit/insurance expectations—without collecting more personal data than you need or building an expensive SIEM that no one maintains.
This guide lays out what to collect, how long to keep it, and how to do it cost-effectively across Microsoft 365, endpoints, and network devices. We’ll also cover privacy and access controls, and how to scale retention as your organization matures.
Before you decide “90 days or 1 year,” be clear about the outcomes you need from logs. Most logging programs fail because they try to do everything, everywhere, all at once. Better is to map log sources and retention to three distinct use cases:
Detection is about spotting suspicious behavior fast enough to contain it. This use case prioritizes timely ingestion, normalization, and alerting. Retention requirements can be shorter, but data needs to be searchable quickly.
Examples:
Investigation is about answering “who did what, when, and from where?” after an alert, user report, or third-party notice. The lookback window is often longer than you expect. Many intrusions are discovered weeks or months after initial access, and the “interesting” event might be far earlier than the day you found it.
Examples:
Compliance may require retention for specific systems, data types, or events. Even when you’re not regulated, cyber insurance questionnaires and customer contracts increasingly ask about log retention, monitoring, and incident response capability.
Examples:
A practical approach: start with investigation as your anchor. If you can investigate well, detection typically improves (because you learn what “bad” looks like in your environment), and compliance becomes easier (because you can produce evidence). Investigation, however, is the most retention-hungry use case. That’s why the retention strategy should begin by deciding how far back you realistically need to go to answer hard questions.
A simple planning question:
If you learned today that an attacker had access three months ago, could you prove what they touched?
If the answer is “not really,” your retention window and/or collection coverage is too small.
You don’t need every log from every source. You need the right logs from the right systems—especially the systems that represent identity, administrative control, and outbound connectivity. Those three areas show up in the majority of real-world investigations.
Identity and access (highest priority)
Administrative changes (high priority)
Endpoint telemetry (high priority)
Network egress and access (high priority)
Why these categories matter: Identity and admin actions tell you how access was obtained and escalated. Endpoint telemetry tells you what was executed and how persistence was established. Network egress and DNS tell you where compromised systems communicated (command-and-control, data exfiltration) and whether you have beaconing or unusual destinations.
If you do nothing else, prioritize: Microsoft 365 / Entra ID sign-in and audit logs, mailbox and admin actions, EDR telemetry on all endpoints, firewall and DNS logs for outbound connections, and VPN/auth logs.
“When the question is ‘what happened?’ your logs are the only reliable timeline.”
For many SMB and mid-market organizations, Microsoft 365 is the “control plane” of the business: identity (Entra ID), email, collaboration, and file storage. If you don’t have strong M365 logging, investigations become guesswork.
Start with the core: unified audit logging and identity sign-ins. In practice, investigations frequently hinge on these questions: Was the account compromised via password spray, MFA fatigue, token theft, or legacy auth? What administrative actions were taken after access? What data was accessed or exported?
Key practices: Ensure audit logging is enabled and retention is appropriate for your licensing and needs. Centralize collection (SIEM or log platform) so you’re not depending on portal-only lookups during an incident. Capture both successful and failed authentication events—failed events often show the intrusion attempt pattern before success.
Three M365 investigation “greatest hits” show up repeatedly:
1) Mailbox forwarding, inbox rules, and transport rules
Attackers love email rules because they are quiet, durable, and effective.
Retention matters because these changes might have happened long before you noticed suspicious activity.
2) OAuth app consents and malicious applications
Attackers can obtain persistent access via OAuth app consent grants or by compromising an application registration and using its permissions.
3) Privileged admin actions and security setting changes
If an attacker gains admin privileges, they may disable security controls or create backdoors.
Because identity and admin events are so central, you typically want to retain them longer than other sources. Even if your SIEM budget is limited, consider at least archiving raw identity and audit events (compressed, encrypted) for a longer lookback.
Endpoints remain a primary battleground. Even in cloud-first organizations, attackers often aim to run code on endpoints to steal tokens, capture credentials, pivot laterally, and access data.
If you have EDR (Endpoint Detection and Response), you have your best shot at “what ran on the system?” For investigation, the most valuable EDR data generally includes:
Retention is not just about the EDR console. Some EDR platforms retain detailed telemetry for a limited period, then summarize. If you need a longer lookback, you may need to export to a log platform or archive. The difference between “we saw an alert” and “we can prove the timeline” often hinges on whether the detailed events were retained.
If you don’t have an EDR platform, or if you want richer Windows event data, Sysmon can help—but it must be deployed thoughtfully. Sysmon can generate high-volume events quickly. A misconfigured Sysmon deployment can overwhelm storage and create noise, while still missing the events you actually need.
For many organizations, EDR is the better starting point. EDR tends to provide curated, investigation-friendly data and detections. Sysmon is a powerful supplement, especially for deeper Windows telemetry, but it requires more operational maturity.
Network logs are your “where did it go?” visibility. Even in a world of encrypted traffic, outbound destination, timing, and authentication records are essential for understanding command-and-control, data exfiltration, and remote access.
Why NAT matters: During an investigation, you may need to map a suspicious public IP observed in cloud logs or a third-party alert back to an internal device. Without NAT logs (or equivalent), you may not be able to confidently identify the originating host.
DNS is one of the most valuable—and underused—sources for investigation. Many malware families and attackers rely on DNS for command-and-control, domain generation algorithms, and initial staging.
VPN logs are not just “did they connect?” They can provide username, source IP, device identifiers, authentication method and MFA status, session times, assigned internal IPs, and reputation signals (depending on platform).
If you use multiple remote access methods (VPN, RDP gateways, ZTNA, SASE), ensure each has logs centralized with consistent retention. Fragmented remote access logging is a common blind spot.
There is no universal “correct” retention period. The right target depends on your risk, regulatory requirements, cyber insurance expectations, and how quickly you realistically detect and respond to incidents.
“A simple blueprint: keep high-value logs searchable longer, and push the rest into secure archive tiers.”
Tier 1: 30–90 days (minimum viable) — investigate only if discovered quickly; higher risk of missing initial access and scope.
Tier 2: 180 days (practical baseline) — supports investigations discovered months later; better correlation across identity/endpoint/network.
Tier 3: 1 year searchable + longer archive — strong capability for regulated/higher-risk orgs; supports annual audits and longer-dwell attacks.
A key point: searchable vs stored. Not all retention needs to be “hot” in a SIEM. Use hot/warm for rapid investigations and cold/archive for longer compliance lookback.
Cold storage enables long retention without paying premium SIEM costs for every event. Keep high-value logs searchable and archive the rest; rehydrate archived data into a searchable environment when needed.
Logs can include sensitive personal data (usernames, IPs, URLs/DNS queries, file names). Apply RBAC, separation of duties, MFA, encryption, and audit trails for log access.
Plan for “incident mode”: preserve logs beyond normal retention when required, export relevant evidence quickly, and document chain-of-custody.
Minimum: 90 days. Practical baseline: 180 days. Strong: 1 year searchable (identity/admin) plus archive beyond. Align with insurance, contracts, and risk.
Start with M365/Entra ID sign-in + audit logs, unified audit logs, EDR telemetry, firewall egress + NAT, DNS queries, and VPN/auth logs. Expand to servers, SaaS, and cloud logs as needed.
Common design: 180 days searchable for identity/admin + key M365 audit events; 90–180 days searchable for endpoint/network (volume-driven); 1–3 years archived for key sources.
Centralize logs, normalize key fields for correlation, and validate time sync and completeness.
Tabletop a compromised account and confirm you can answer initial access, admin changes, mail forwarding, endpoint execution, and outbound destinations. Document gaps and improve.
Assign ownership, review coverage quarterly, and revisit retention annually. Logging degrades quietly unless someone owns it.
If you can’t confidently answer “what happened?”, you either don’t have enough logs or don’t keep them long enough.
Cyber Advisors helps SMB and mid-market organizations build logging and retention programs that are practical, defensible, and cost-effective. We focus on the sources that matter most—identity, admin activity, endpoint telemetry, and network egress—then design retention tiers that align with your incident response timeline, cyber insurance expectations, and compliance requirements.
Ready for a practical plan? Get a Log Retention & Collection Plan tailored to your environment—what to log, how long to keep it, where to store it, and how to access it fast during an incident.