I'm trying to figure out what type of evidence really holds up under scrutiny several months after an audit, incident, or insurance review. Specifically, I'm focused on mid-market and enterprise environments, mainly working with Microsoft 365, along with standard ticketing systems and SIEM tools. I'm curious which formats of evidence have been accepted most consistently and which ones tend to get questioned or rejected during these reviews. Here's what I'm looking at:
- Screenshots or PDFs versus raw data exports like CSV or JSON.
- Results from SIEM queries compared to vendor dashboards.
- Ticket histories from systems like Jira or ServiceNow versus email or chat approvals.
- Tenant sign-in and audit logs—what systems should I be looking at, such as M365, Entra, AzureAD, or Okta, and in what format should they be exported? What time frames should I focus on?
I'm considering examples like Entra sign-in log exports, ServiceNow change approval histories, EDR timeline exports, SIEM searches, and approvals from Teams or Slack. If you were starting fresh today, what evidence would you make sure to export or archive to avoid last-minute scrambling?
2 Answers
From my experience with audits and claims, there are a few key things to consider:
1. Know who is asking for the information—whether it’s an auditor, insurer, legal counsel, or someone internal.
2. Be clear on what artifacts you have—the exact system used and the format you can provide.
3. Specify the time window covered and any retention constraints that might affect your ability to pull data from previous months.
4. Be prepared for challenges regarding specific types of evidence, such as screenshots, dashboards, or issues relating to the provenance of data.
It’s crucial to provide evidence in a way that catches attention during an audit. Most requests outside of standard reports tend to focus on one-off pulls at the time of the query. Auditors really like getting screenshots, especially if they include the entire screen—so make sure to clean up your browser, hide bookmarks, and close unrelated tabs or windows. They also want to see the time and date displayed in the corner of the screenshot, which adds credibility.
This is super helpful, thanks! Just out of curiosity, who usually asks for those screenshots? Is it primarily auditors or do insurers and internal teams also request them? And do they often follow up asking for the raw data export after seeing the screenshot?