Microsoft begins broadening free cloud logging capabilities

After select US federal agencies tested Microsoft’s expanded cloud logging capabilities for six months, Microsoft is now making them available to all agencies using Microsoft Purview Audit – regardless of license tier.

“This change will impact government departments & agencies who do not currently have access to Microsoft Purview Audit Premium (E5/G5/Compliance Mini-Suite). And for those that do have Audit Premium, they will retain the additional capabilities of intelligent insights and extended retention periods, in addition to higher bandwidth and prioritized access to the API,” explained Casey Kahsen, a senior technical specialist with Microsoft’s Federal Security team.

Expanded cloud logging capabilities

Microsoft first announced the expanded cloud logging capabilities in July 2023, after it revealed that Chinese hackers accessed email accounts belonging to 25 organizations and government agencies.

The attackers exploited a token validation flaw to create valid authentication tokens and access the accounts via Outlook Web Access in Exchange Online (OWA) and Outlook.com. The intrusion went on for a month before a US Federal Civilian Executive Branch agency detected unusual activity in Microsoft 365 audit logs, highlighting the vital importance of cybersecurity logs for prompt threat detection and incident response.

“As described in CISA’s Secure by Design guidance, all technology providers should provide ‘high-quality audit logs to customers at no extra charge or additional configuration.’ Today’s announcement is a further step in this direction,” the Cybersecurity and Infrastructure Security Agency stated on Wednesday.

“Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days. Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by OMB Memorandum M-21-31.”

Microsoft says that the data will enhance threat hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and even insider risk scenarios. “The new logging capabilities will now offer government Microsoft M365 E3 customers the ability to gain insights into detailed logs pertaining to the access of email (via MailItemsAccessed), and to the user entered search strings in both SharePoint and Exchange (via UserSearchQueries) if configured.”

Most additional logging capabilities will be enabled by default. The exception are the SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint logs, which organizations need to enable themselves.

Microsoft has also collaborated with CISA to create a playbook to explain to cyber defenders the added logging events, how they can be used for forensic investigation and incident response, and instruct them on how to enable those two specific logs.

“Lastly, the playbook provides a threat actor behavior driven approach for leveraging the added logging capabilities in detecting even the most advanced state-sponsored activities. These behaviors include Credential Access, Exfiltration, and Impact providing both proactive and reactive analytical methodologies for each. In addition, the playbook provides cyber defenders with KQL-based Advanced Hunting queries which can be used as a template for detecting the threat actor behaviors described in the scenario,” Kahsen noted.

A slow roll-out to all customers

“Last summer, we were glad to see Microsoft’s commitment to make necessary logging available to federal agencies and the broader cybersecurity community. I am pleased that we have made real progress toward this goal,” said Eric Goldstein, CISA Executive Assistant Director for Cybersecurity.

“We have prioritized our federal customers, and we are striving to ensure those who are not currently leveraging an E5 license receive this logging expansion as quickly as possible,” Kahsen pointed out, and said that all remaining customers in GCC, GCC-H, and DoD environments will get expanded logging capabilities in the next 30 days. But, he added, providing increased logging for all customers worldwide will take time.