CISA Issues Guidance on Microsoft’s Enhanced Logging Features The Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance for government and business users on leveraging expanded logging capabilities within Microsoft 365. These enhancements are designed to improve forensic and compliance investigations.

Enhanced Logging Capabilities

Microsoft has introduced advanced logging options via Microsoft Purview Audit (Standard), which aid cybersecurity efforts by tracking crucial events. These include details on emails sent and accessed, and user activity within Exchange Online and SharePoint Online. Notably, CISA noted, "Organizations can now oversee and scrutinize a myriad of user and administrative actions across numerous Microsoft offerings." The agency highlights these logs as a new avenue for detecting potential cybersecurity threats such as business email compromises, nation-state activities, and insider risks.

Comprehensive Playbook

Alongside the guidance, CISA has released a 60-page playbook that offers instructions on how to navigate and utilize these logs effectively. The document includes steps for integrating logs into platforms like Microsoft Sentinel and Splunk, enhancing Security Information and Event Management (SIEM) capabilities.

Context and Background

These developments follow a security incident reported in July 2023, where Microsoft expanded logging features after a breach involving Chinese hackers. Identified as Storm-0558, these actors exploited a stolen Microsoft account key to access emails from U.S. State and Commerce Department officials between May and June 2023. Remarkably, the breach was detected by the State Department’s Security Operations Center using internal tools with access to Microsoft's enhanced cloud logging features, which were previously available only to Purview Audit (Premium) license holders. Industry criticism emerged following the breach, focusing on Microsoft's limited access to essential logging functions. State Department disclosures post-breach revealed that the hackers exfiltrated over 60,000 emails from Outlook accounts of government personnel. In response to this incident, Microsoft has now made enhanced logging capabilities available to Purview Audit standard customers with E3/G3 licenses and higher, aiming to bolster security visibility for its users.

The link has been copied!