Microsoft is expanding access to additional cloud logging data for customers worldwide at no additional cost, enabling easier detection of hacked networks and accounts.
This greater availability comes after Chinese hackers stole a Microsoft signing key which allowed them to breach corporate and government Microsoft Exchange and Microsoft 365 accounts to steal emails.
Whereas it is we still don’t know how the key was stolenthe US government, which was the first to detect these attacks, used Microsoft’s advanced logging data to detect intrusions and report them to Microsoft.
Historically, these advanced logging features were not available to all Microsoft customers, only to those who paid licenses for Microsoft Proficiency Audit (Premium) logging functionality.
For this reason, Microsoft has been widely criticized for not providing this additional logging data for free so organizations can detect advanced attacks early.
“While vendors can offer broader access to logging at specific cloud license levels, this approach makes it more difficult to investigate intrusions,” explain Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity.
“Asking organizations to pay more for necessary logging is a recipe for insufficient visibility in cybersecurity incident investigations and can allow adversaries to have dangerous levels of success targeting US organizations.”
Advanced logging for everyone
Today, the United States Cybersecurity and Infrastructure Security Agency, better known as CISA, announced that it is working with Microsoft to identify critical logging data points that should be included free of charge for all Microsoft customers.
Due to these discussions, and likely recent attacks, Microsoft says it is expanding access to premium cloud logging for free to all customers, and more will be available in September 2023.
“Today, we are expanding the accessibility and flexibility of Microsoft cloud logging even further. Over the next few months, we will include access to broader cloud security logs for our customers around the world at no additional cost,” Microsoft said in a statement. new position on extended logging.
“As these changes take effect, customers can use Microsoft Purview Audit to centrally view more types of cloud log data generated across their enterprise.”
To access this data, Microsoft customers can use Microsoft Proficiency Audit (standard) to see detailed email access logs and 30 other data points previously only available to licensed customers.
Microsoft says it is also increasing the default retention period for Audit Standard customers from 90 to 180 days, allowing customers better historical access to data during incident response investigations.
However, that doesn’t mean Microsoft Purview Audit (Premium) is going away, with licensed users still getting better access to data, better access to APIs, and access to Microsoft’s Intelligent Insights smart forensics tool.
BleepingComputer has reached out to Microsoft to learn more about the new data that will be freely available and will update the article if we get a response.
CISA and the FBI also published a guide on monitoring and detecting APT activity targeting Outlook Online, suggested reading for all security and email administrators.