I'm looking to figure out what types of evidence really hold up under scrutiny 6 to 12 months after an audit, incident, or insurance review. My focus is on mid-market and enterprise environments, primarily using Microsoft 365 and standard ticketing and SIEM systems.
For audits and incident reviews, I'm curious about which evidence formats tend to be accepted most reliably and which ones often get questioned or rejected. Specifically, I want to know about:
- The effectiveness of screenshots and PDFs compared to raw exports like CSV or JSON.
- How SIEM query results stack up against vendor dashboards.
- The value of ticket histories from tools like Jira or ServiceNow compared to email or chat approvals.
- Details on tenant sign-in and audit logs, including which systems to prioritize (like M365, Entra, AzureAD, Okta, etc.), the best export formats to use, and the advisable time frames.
I'm considering examples like Entra sign-in log exports, ServiceNow change approval histories, EDR timelines, SIEM searches, and approvals from Teams or Slack. If you were starting fresh today, what would you make sure to export or archive as a default to avoid scrambling later?
2 Answers
From my experience during audits and claims, it’s crucial to note a few things:
1. Identify who requested the information, whether it was an auditor, insurer, internal counsel, etc.
2. Specify the artifacts you provided, detailing the exact system and export format.
3. Think about the time periods you need to cover and any retention constraints that may have affected your ability to pull data from the past.
4. Be aware of what types of evidence faced challenges, such as screenshots, dashboards, or any missing logs, as well as concerns regarding the provenance or potential tampering.
One key takeaway I’ve noticed is that outside of regular reports, auditors and the like typically prefer a one-off snapshot of information at the moment it’s requested. They really appreciate seeing a full-screen screenshot, so I recommend using a clean browser, closing unrelated windows and tabs, and definitely including the timestamp in the corner for extra credibility.
This is really helpful, thanks! When you mention that people ‘really like’ screenshots, do you find that it’s auditors, insurers, or someone else usually asking for these? And do they usually come back for the raw export later, or is the screenshot sufficient if it shows the full screen and the clock?