This is a policy enhancement proposal that can be voted on by the team due to changes in Microsoft's logging by license level that impact Defender policy 6.2 (audit premium license for all users). It also requires some hands-on investigation to determine how the current state of Microsoft's logging system behaves w/r/t to the log events that were previously only captured by the audit premium license but are now captured by audit standard.
Since Microsoft has now added numerous log events required by OMB to the Audit Standard license (including MailItemsAccessed, Send, SearchQueryInitiatedExchange, SearchQueryInitiatedSharepoint) is Scuba policy 6.2 still a requirement to add Audit Premium licenses to individual users? Those events were previously only available with the premium license but that isn't the case anymore.
Maybe instead we modify policy 6.2 to be about having the Audit Premium but at the organization level and not enabled for individual users? The key benefits of Audit Premium at the organization level are longer audit log retention, audit log retention policies and intelligent insights. That said, having a longer audit log retention seems like a good thing at face value, but many agencies will be offloading their logs to a SIEM which is where the log retention matters to those orgs so having longer retention in M365 only benefits smaller orgs that don’t offload their logs. Therefore maybe we change policy 6.2 to be about having Audit Premium at the organization level and make it a SHOULD policy since it doesn’t apply to everyone?
💡 Summary
This is a policy enhancement proposal that can be voted on by the team due to changes in Microsoft's logging by license level that impact Defender policy 6.2 (audit premium license for all users). It also requires some hands-on investigation to determine how the current state of Microsoft's logging system behaves w/r/t to the log events that were previously only captured by the audit premium license but are now captured by audit standard.
Since Microsoft has now added numerous log events required by OMB to the Audit Standard license (including MailItemsAccessed, Send, SearchQueryInitiatedExchange, SearchQueryInitiatedSharepoint) is Scuba policy 6.2 still a requirement to add Audit Premium licenses to individual users? Those events were previously only available with the premium license but that isn't the case anymore.
Maybe instead we modify policy 6.2 to be about having the Audit Premium but at the organization level and not enabled for individual users? The key benefits of Audit Premium at the organization level are longer audit log retention, audit log retention policies and intelligent insights. That said, having a longer audit log retention seems like a good thing at face value, but many agencies will be offloading their logs to a SIEM which is where the log retention matters to those orgs so having longer retention in M365 only benefits smaller orgs that don’t offload their logs. Therefore maybe we change policy 6.2 to be about having Audit Premium at the organization level and make it a SHOULD policy since it doesn’t apply to everyone?
https://www.microsoft.com/en-us/security/blog/2023/10/18/expanding-audit-logging-and-retention-within-microsoft-purview-for-increased-security-visibility
https://learn.microsoft.com/en-us/purview/audit-solutions-overview#audit-premium
Motivation and context
Scuba policies should be aligned with Microsoft's changes and we should update policies that are no longer applicable as currently designed.