A Shift in “Log Everything” Thinking
On May 22, 2026, the White House Office of Management and Budget issued Memorandum M-26-14, rescinding the five-year-old M-21-31 logging mandate and replacing it with a risk-based, prioritized approach. The reasoning: retaining vast quantities of log data without clear utility proved neither operationally feasible nor cost-effective for most agencies.
This is not just a federal policy update. It is a signal that the broader market is catching up to what eSentire has understood for years — that logging everything is not a security strategy.
This shift is not unique to the United States. Multiple jurisdictions have moved in the same direction, directing federal departments that logs must include sufficient information to establish what events occurred and who or what caused them, while focusing collection on organization-determined essential information rather than capturing everything indiscriminately.
The pattern is consistent: move away from volume-based logging toward deliberate, risk-informed collection that serves defined security objectives.
What Does M-26-14 Require for Logging?
M-26-14 establishes two distinct logging priorities, each serving a different operational objective:
- Continuous Event Monitoring (CEM): Real-time log ingestion, SOC-driven, focused on flagging anomalous activity as it happens. CEM prioritizes speed, signal clarity, and low noise — the infrastructure for managed detection and rapid response.
- Threat Hunting, Investigation, Response, and Forensics (THIRF): Deeper, broader log retention that enables analysts to reconstruct attack chains, map lateral movement, and support post-incident investigation. THIRF prioritizes depth, breadth, and retrievability across longer time horizons.
The memo does not prescribe a single logging approach. It directs organizations to be deliberate about which logs serve which objective and to resource both.
CISA has 90 days from publication to release a Logging Reference Architecture (LRA) with implementation-level guidance, including specific log categories, retention tiers, and maturity benchmarks.
Continuous Event Monitoring demands speed, signal clarity, and low noise while Threat Hunting, Investigation, Response, and Forensics demands depth, breadth, and retrievability across longer time horizons. Treating them identically, either by logging everything indiscriminately, or by filtering aggressively to cut cost, fails one objective to serve the other.
Filtering Is Half an Answer
A concept gaining traction across the industry is pre-ingestion filtering, which is reducing log volume at the source by stripping out events with minimal security value before they reach the SIEM. The logic is sound for Continuous Event Monitoring; debug logs, IT operations telemetry, and redundant events add noise without improving detection.
But filtering alone creates a blind spot for Threat Hunting, Investigation, Response, and Forensics. When an incident response provider needs to trace an attacker’s path through authentication events, privilege changes, and network sessions, the data either exists or it does not. You cannot forensically reconstruct what you chose not to collect.
The memo recognises this tension explicitly. It does not prescribe one approach. It tells organizations to be deliberate about which logs serve which objective and to resource both.
eSentire Already Builds for Both
At eSentire, this is not new. Our MDR logging architecture has been built around the same principle M-26-14 now formalizes – different security objectives require different logging strategies, and customers should not be forced into a single approach.
This philosophy is embedded directly into the eSentire Atlas Platform; our cloud-native, AI-powered SecOps infrastructure purpose-built to ingest, correlate, and act on security telemetry at scale, without requiring customers to choose between coverage and cost.
For organizations whose primary need is continuous event monitoring (i.e., real-time visibility, managed detection, and rapid response), eSentire offers Unlimited Logging.
This is a streamlined, lower-cost path that prioritizes signal over volume, while still carving out a data partition for deeper forensic data.
It applies the kind of pragmatic, risk-based filtering that M-26-14 endorses, without burdening the customer with the complexity of managing it themselves.
For organizations that require comprehensive logging whether for forensic investigation, regulatory audit, or full traceability, eSentire offers MDR for Log through Sumo Logic (with two data tiers that map directly to the Continuous Event Monitoring and Threat Hunting, Investigation, Response, and Forensics distinction), eSentire Atlas SIEM, Microsoft Sentinel, or bring-your-own SIEM in Splunk. This puts the customer in full control of what gets collected and how long it is retained.
Across all SIEM paths, eSentire's 24/7 SOC provides an active managed service layer: continuous rule tuning, alert triage, and expert oversight mean customers benefit from the depth of a full SIEM without the operational burden of running one in-house.
These are distinct choices, aligned to distinct needs. Not a single product trying to be everything.
What Comes Next
M-26-14 directs CISA to publish a Logging Reference Architecture (LRA) within 90 days. That document will contain the implementation-level guidance — specific log categories, retention tiers, and maturity benchmarks.
eSentire will incorporate the Logging Reference Architecture into our existing logging guidance as it is published. We have long been advising customers on risk-based logging strategy. The LRA will not change our direction.
To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.
GET STARTEDABOUT THE AUTHOR
Mark Gillett Chief Product Officer
As Chief Product Officer, Mark Gillett leads a cross-functional team responsible for strategic product vision, creating and evolving solutions that solve our customers' cybersecurity challenges. His leadership drives the development and delivery of innovative security technologies and services that keep pace with today's evolving threat landscape. Throughout his 25-year career in cybersecurity, Mark has focused on MDR, SIEM, and security operations platforms, serving in key leadership positions across Product, Engineering, Technical Support, and Service Delivery. His expertise has consistently advanced the development and implementation of effective security solutions. Mark holds a Bachelor of Science degree from Laurier University in Waterloo, Canada.