Microsoft 365 and Entra ID log analysis

Q: Which Microsoft 365 logs does Siemserva analyze?

Siemserva reads Entra ID sign-in logs, the Microsoft 365 unified audit log, directory audit logs, and provisioning logs, and it pulls in security alerts. It analyzes them alongside 650+ configuration checks so risky activity is ranked next to misconfigurations in one view.

Q: How far back does the sign-in log analysis go?

Siemserva replays the last 14 days of sign-in activity, which is the Entra ID default retention period for sign-in logs. It uses that window to find risky and out-of-policy access, legacy authentication, and accounts signing in outside any Conditional Access policy.

Misconfigurations are half the story. Your logs are the other half. Most posture tools stop at settings. Siemserva by Senserva reads your logs too, so you see not just the door left unlocked, but who walked through it. Sign-in logs, the unified audit log, directory and provisioning logs, and security alerts, analyzed and correlated with 650+ configuration checks, ranked, and tied to a fix.

Part of the full product. See Siemserva, or how it pairs with CVE and patch coverage.

Sign-in and risky sign-in analysis

Replays the last 14 days of sign-in activity, the Entra ID default retention window, to catch risky and out-of-policy access, legacy authentication in the wild, and accounts signing in outside any Conditional Access policy.

Unified audit log health

Confirms auditing is actually on and capturing the events your investigations and your auditors depend on, instead of failing silently.

Directory and provisioning logs

Surfaces risky changes to roles, applications, and identities, and provisioning activity that has drifted away from policy.

Security alerts, triaged

Pulls in security alerts and ranks them alongside every other finding, in one prioritized view, each tied to evidence and a remediation step.

Logs, read end to end

Sign-in, unified audit, directory, and provisioning logs are read together and correlated, so risky activity is caught across all of them at once, not one console at a time.

One ranked view with your config

Log findings sit in the same dashboard and reports as your configuration and CVE findings, ranked by Severity, each with its evidence and a validated fix.

Where logs and Conditional Access meet

Sign-in logs are how you prove what your Conditional Access policies actually do. Siemserva replays the last 14 days of real sign-ins against your full policy set, so policy evaluation meets reality: who got in outside the policies you thought covered them, where legacy authentication slipped through, and which report-only policies were never enforced. It runs the most powerful Conditional Access evaluator we know of, evaluating every policy against every user, app, and condition.

See the full Conditional Access gap analysis

Configuration, patching, and logs, brought together

A misconfiguration is a door left unlocked. A missing patch is a lock that is known to be broken. A log shows you who walked through. Siemserva models all of it in one graph, configuration, patching and CVE exposure, and logs, so a weak setting on an unpatched account that is also being probed in the sign-in logs rises to the top, with a remediation step attached.

Configuration tells you where you are exposed, patching tells you what is unfixed, and logs tell you whether it is being used against you. Bringing them together in one model is the state of the art for security, and it is what lets the AI reason across your whole estate to create better, grounded solutions. That is a complete security state management system, not a settings checklist. See the unified security model.

The full product | CVE and patch coverage | Senserva Trustworthy AI

Read-only, and your data stays with you

Siemserva reads your logs through Microsoft's own APIs, read-only and least privilege. It runs on Windows or Mac with no agents and no cloud pipeline, and the findings live in a local database you control. It complements a SIEM rather than replacing it, and nothing is shipped to us. See Senserva Trustworthy AI.

Frequently asked questions

Which Microsoft 365 logs does Siemserva analyze?

Entra ID sign-in logs, the Microsoft 365 unified audit log, directory audit logs, and provisioning logs, plus security alerts. They are analyzed alongside 650+ configuration checks so risky activity is ranked next to misconfigurations in one view.

How far back does the sign-in log analysis go?

Siemserva replays the last 14 days of sign-in activity, the Entra ID default retention period for sign-in logs. It uses that window to find risky and out-of-policy access, legacy authentication, and accounts signing in outside any Conditional Access policy.

Do I need a SIEM to use this?

No. Siemserva reads the logs directly through Microsoft's APIs, read-only, and correlates them with your configuration locally. It complements a SIEM rather than replacing it, and your data stays on your machine.

What is the Conditional Access evaluation engine?

It evaluates every Conditional Access policy against every user, app, and condition using three advanced techniques, finding the gaps point-in-time checkers miss: users and apps no policy applies to, risky exclusions, legacy authentication slipping through, and report-only policies that were never enforced.

See your logs and your config, together

Run the demo free, no registration, no access to your tenant, and see how Siemserva correlates logs, configuration, and CVEs into one ranked view.

Download and go, free

See the full product