Microsoft has announced the availability of its expanded cloud logging capabilities to all US federal agencies using Microsoft Purview Audit, regardless of their license tier. This decision comes after a successful six-month testing period by select federal agencies, showcasing the importance of enhanced security visibility for government departments and agencies.
Casey Kahsen, a senior technical specialist with Microsoft’s Federal Security team, explained that this change will impact government entities that do not currently have access to Microsoft Purview Audit Premium. For those already using Audit Premium, they will continue to benefit from intelligent insights, extended retention periods, higher bandwidth, and prioritized access to the API.
The expanded cloud logging capabilities were initially introduced by Microsoft in July 2023 following a cybersecurity incident where Chinese hackers gained unauthorized access to email accounts of several organizations and government agencies. The attackers exploited a token validation flaw to create valid authentication tokens and access the accounts via Outlook Web Access in Exchange Online and Outlook.com.
The importance of cybersecurity logs for prompt threat detection and incident response was highlighted when a US Federal Civilian Executive Branch agency detected unusual activity in Microsoft 365 audit logs, leading to the discovery of the intrusion. This incident underscored the critical need for high-quality audit logs, as emphasized in CISA’s Secure by Design guidance.
Microsoft’s new logging capabilities will automatically enable logs in customer accounts and increase the default log retention period from 90 days to 180 days. This data will also help federal agencies meet logging requirements mandated by OMB Memorandum M-21-31, providing valuable telemetry for threat detection and investigation.
The enhanced logging capabilities aim to improve threat hunting capabilities for various scenarios, including business email compromise, advanced nation-state threats, and insider risk scenarios. These capabilities will enable government Microsoft 365 E3 customers to gain detailed insights into email access and user search queries in SharePoint and Exchange.
To assist customers in leveraging the new logging events, Microsoft has collaborated with CISA to create a playbook that outlines how cyber defenders can use the logging data for forensic investigation and incident response. The playbook also includes KQL-based Advanced Hunting queries to help detect threat actor behaviors effectively.
While Microsoft is prioritizing federal customers and aiming to provide expanded logging capabilities to all remaining customers in specific environments within the next 30 days, the process of enabling increased logging for all customers worldwide will take time. Despite the gradual roll-out, the commitment to enhancing security visibility and threat detection for all government agencies remains a top priority for Microsoft.
In conclusion, the availability of Microsoft’s expanded cloud logging capabilities to all US federal agencies highlights the company’s dedication to improving cybersecurity measures and visibility for government entities. By providing enhanced logging capabilities and valuable telemetry data, Microsoft aims to strengthen threat detection and response efforts across federal agencies, ultimately enhancing overall cybersecurity resilience in the face of evolving threats.