CISA shares guidance for Microsoft expanded logging capabilities

​CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations.

As the cybersecurity agency explained, these newly introduced Microsoft Purview Audit (Standard) logging capabilities support enterprise cybersecurity operations by providing access to information on critical events such as mail sent, mail accessed, and user searches in Exchange Online and SharePoint Online.

"These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions," CISA said on Wednesday.

"These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios," the agency added.

The 60-page playbook published today also includes guidance on navigating the expanded logs within Microsoft 365 and ingesting into Microsoft Sentinel and Splunk SIEM (Security Information and Event Management) systems.

Logs expanded after 2023 Exchange Online breach

Microsoft expanded free logging capabilities for all Purview Audit standard customers (with E3/G3 licenses and above) under pressure from CISA after disclosing in July 2023 that a Chinese hacking tracked as Storm-0558 stole emails belonging to senior government officials from the State and Commerce departments in an Exchange Online breach between May and June 2023.

The threat actors used a Microsoft account (MSA) key stolen from a Windows crash dump in April 2021 to forge authentication tokens, which gave them access to targeted email accounts via Outlook.com and Outlook Web Access in Exchange Online (OWA).

While the attackers mostly evaded detection, the State Department's Security Operations Center (SOC) detected the malicious activity using an "in-house detection tool" with access to enhanced cloud logging (i.e., MailItemsAccessed events).

However, these logging capabilities (specifically MailItemsAccessed events with unexpected ClientAppID and AppID) were only available to customers with Microsoft's Purview Audit (Premium) logging licenses. This led to widespread industry criticism of Redmond for hindering organizations from promptly detecting Storm-0558's attacks.

Months after the breach, State Department officials revealed that the Chinese hackers stole over 60,000 emails from department officials' Outlook accounts after breaching Microsoft's cloud-based Exchange Online email platform.