A monthly review fails when it becomes a memory test. For CMMC Level 2, I want a repeatable routine that shows what I checked, what I found, and what I did next.
This CMMC log review SOP is the template I use for Microsoft Entra ID and Microsoft Defender. It supports current Level 2 audit practices, commonly mapped to AU.L2-3.3.1 and AU.L2-3.3.2, but I still validate settings, licensing, data retention, and workflow details in my own tenant. It supports readiness, not a promise of certification.
I review security-relevant Entra ID and Defender logs at least once each month, investigate exceptions, and keep evidence of the review.
Purpose, scope, and ownership
In my SOP, the purpose is simple: I review identity and security logs for signs of unlawful, unauthorized, or unusual activity. The scope covers in-scope users, privileged accounts, endpoints, cloud identities, and connected workloads that handle or support controlled data.
I assign one primary reviewer and one backup reviewer. The primary reviewer performs the review, opens tickets, and saves evidence. The backup reviewer confirms the record is complete and that findings were handled. If my team uses a help desk or SIEM, I reference the related incident, change, or problem record in the monthly file.
I use this template with Small Business IT teams that manage Cloud Infrastructure, Office 365 Migration, and Data Center Technology. It also fits MSP work that includes Restaurant POS Support, Kitchen Technology Solutions, Cybersecurity Services, Endpoint Security, Device Hardening, and Cloud Management. As a Business Technology Partner, I treat monthly review as part of Technology Consulting, Infrastructure Optimization, Digital Transformation, Secure Cloud Architecture, IT Strategy for SMBs, Business Continuity & Security, and Managed IT for Small Business. That gives clients Innovative IT Solutions and Tailored Technology Services without changing the core review method each month.
If my team still references AU.2.041 from older language, I note that I map this process to current Level 2 AU.L2-3.3.x audit practices and document that mapping in my SSP. For Microsoft-specific context, I keep Microsoft’s CMMC Level 2 identity guidance close at hand.
Monthly review procedure for Entra ID and Defender
I run the review after month-end, usually by the 10th business day. First, I confirm the review period, verify that logs still exist, and export anything near expiry. That matters because portal retention can be limited by license and log type.
Microsoft Entra ID review steps
I start with Microsoft Entra sign-in logs and audit logs. Then I use custom log filters for date range, user, application, IP address, result, risk, and category.
I look for repeated failures followed by success, high-risk sign-ins, unfamiliar countries, legacy authentication, MFA not satisfied when policy says it should be, and privileged account activity outside approved change windows. In audit logs, I focus on role assignments, Conditional Access edits, break-glass account changes, user enable or disable actions, new app registrations, service principal changes, consent grants, and mass group membership changes.
If I review historical periods that overlap 2025, I cross-check Entra data in the tenant because some Entra sign-in events were not consistently surfaced in Defender tooling for part of that year. I don’t assume one pane of glass is complete without proof.
Microsoft Defender review steps
Next, I review Microsoft Defender incidents, alerts, device timelines, and Advanced Hunting data. My common tables are EntraIdSignInEvents, IdentityLogonEvents, and DeviceLogonEvents. I also compare the alert queue against resolved tickets so nothing high severity sits without a documented action.
I treat the following as priority findings: malware detections on multiple devices, attempts to disable antivirus or tamper protection, suspicious Entra account enablement, token theft signs, AiTM-related alerts, suspicious OAuth app behavior, impossible logon patterns, and repeated remote logons from unusual sources. This is also where I confirm that Endpoint Security and Device Hardening controls still work as expected.
For practical mapping help, I sometimes compare my data sources to Defender XDR log mappings for CMMC controls. I use that as a technical reference, not as a substitute for tenant-specific validation.
Evidence, reviewer checklist, and sample monthly record
I keep evidence that shows both the review and the follow-up. Because CMMC Level 2 does not set one universal retention period in the practice text, I define retention in policy and confirm it against business, contract, and investigation needs. If my tenant needs long-term storage, I export logs or forward them to storage, Sentinel, or another approved location. Microsoft also documents how to download logs in Entra ID.
My reviewer checklist is short and strict:
- Confirm the month reviewed, systems in scope, and reviewer name.
- Save proof of Entra sign-in and audit log filters used.
- Save Defender incident summaries, alert IDs, and ticket numbers.
- Record each finding, the disposition, and the owner for follow-up.
- Note gaps, such as retention limits, connector failures, or licensing limits.
Sample evidence can include screenshots of filters, CSV exports, incident PDFs, analyst notes, ticket links, approval emails, and change records for expected admin activity. If no issues appear, I still save proof that I reviewed the logs.
A simple monthly record can look like this:
| Month | Reviewer | Sources reviewed | Findings summary | Evidence retained | Sign-off |
|---|---|---|---|---|---|
| March 2026 | Security Admin | Entra sign-in logs, Entra audit logs, Defender incidents, EntraIdSignInEvents, IdentityLogonEvents | Two risky sign-ins blocked, one approved role change, no open high-severity device alerts | CSV export, 3 screenshots, incident report, ticket INC-1042, change CHG-2201 | Security Manager, 4/7/2026 |
Monthly review only works when I can prove it happened. A good CMMC log review SOP turns Entra ID and Defender data into clear evidence, clean follow-up, and fewer surprises when an assessor asks for proof.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.