Article Details
Scrape Timestamp (UTC): 2025-01-15 20:42:10.819
Original Article Text
Click to Toggle View
CISA shares guidance for Microsoft expanded logging capabilities. CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations. As the cybersecurity agency explained, these newly introduced Microsoft Purview Audit (Standard) logging capabilities support enterprise cybersecurity operations by providing access to information on critical events such as mail sent, mail accessed, and user searches in Exchange Online and SharePoint Online. "These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions," CISA said on Wednesday. "These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios," the agency added. The 60-page playbook published today also includes guidance on navigating the expanded logs within Microsoft 365 and ingesting into Microsoft Sentinel and Splunk SIEM (Security Information and Event Management) systems. Logs expanded after 2023 Exchange Online breach Microsoft expanded free logging capabilities for all Purview Audit standard customers (with E3/G3 licenses and above) under pressure from CISA after disclosing in July 2023 that a Chinese hacking tracked as Storm-0558 stole emails belonging to senior government officials from the State and Commerce departments in an Exchange Online breach between May and June 2023. The threat actors used a Microsoft account (MSA) key stolen from a Windows crash dump in April 2021 to forge authentication tokens, which gave them access to targeted email accounts via Outlook.com and Outlook Web Access in Exchange Online (OWA). While the attackers mostly evaded detection, the State Department's Security Operations Center (SOC) detected the malicious activity using an "in-house detection tool" with access to enhanced cloud logging (i.e., MailItemsAccessed events). However, these logging capabilities (specifically MailItemsAccessed events with unexpected ClientAppID and AppID) were only available to customers with Microsoft's Purview Audit (Premium) logging licenses. This led to widespread industry criticism of Redmond for hindering organizations from promptly detecting Storm-0558's attacks. Months after the breach, State Department officials revealed that the Chinese hackers stole over 60,000 emails from department officials' Outlook accounts after breaching Microsoft's cloud-based Exchange Online email platform.
Daily Brief Summary
CISA issued new guidelines to enhance the use of Microsoft 365's expanded cloud log capabilities for forensic and compliance investigations.
These capabilities are designed to improve threat detection, focusing on events like mail activities and user interactions in specific Microsoft online services.
Expanded logging was a direct response to a breach in 2023, where Chinese hackers accessed high-level U.S. government emails via Microsoft Exchange Online.
The logs aim to boost security operations against sophisticated threats such as business email compromise (BEC), nation-state attacks, and insider risks.
The 60-page playbook provides detailed instructions on how to navigate and utilize these logs in Microsoft 365, integrating them with systems like Microsoft Sentinel and Splunk SIEM.
Enhanced logging enabled the State Department's Security Operations Center to detect malicious activities that initially went unnoticed during the cyberattack.
After the incident, there was significant criticism towards Microsoft for not making advanced logging capabilities widely available, potentially delaying the discovery of the breach.