As cyberattacks grow more sophisticated, U.S. agencies and enterprises gain critical tools to enhance their defenses against breaches targeting cloud services. The Cybersecurity and Infrastructure Security Agency (CISA) has released detailed guidance for leveraging Microsoft 365’s expanded logging capabilities, a crucial move in bolstering cybersecurity.
The new capabilities, part of Microsoft Purview Audit (Standard), provide access to a wealth of critical event data, including email activity, user searches, and mailbox access within Exchange Online and SharePoint Online. These logs allow organizations to monitor thousands of user and admin operations across multiple Microsoft services, helping detect and address business email compromise (BEC), nation-state threats, and insider risks.
“These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios,” CISA noted in its announcement.
The "Microsoft Expanded Cloud Logs Implementation Playbook"
CISA’s 60-page playbook offers comprehensive guidance for navigating these enhanced logs, providing actionable steps for ingesting log data into security tools such as Microsoft Sentinel and Splunk SIEM systems. By leveraging these integrations, organizations can more effectively identify and respond to malicious activities targeting their cloud environments.
This initiative follows significant criticism of Microsoft’s prior logging policies. After the 2023 Exchange Online breach attributed to the Chinese hacking group Storm-0558, Microsoft faced backlash for limiting advanced logging capabilities to its premium Purview Audit (Premium) customers. The breach, which exploited a stolen cryptographic key, allowed attackers to forge authentication tokens and access emails of senior government officials, compromising over 60,000 messages across multiple departments.
The breach exposed gaps in logging availability, as key telemetry—like MailItemsAccessed events—was only accessible to premium customers. This limited the ability of many organizations to detect similar intrusions promptly. Under pressure from CISA and industry leaders, Microsoft responded by making expanded logging capabilities available to Purview Audit (Standard) users with E3/G3 licenses and above.
The Importance of Enhanced Logging
Botond Botyánszki, founder and CTO at NXLog, emphasized the importance of accurate log collection in mitigating cloud-based threats:“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions, and continuous monitoring can help detect and prevent breaches before it's too late.”
Botyánszki also praised the release of CISA’s playbook as a pivotal step in strengthening defenses:“The release of the Microsoft Expanded Cloud Logs Implementation Playbook is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”
Enhancing Visibility Across the Cloud Ecosystem
The expanded logs now include a range of critical events, such as:
Email items accessed
Emails sent
User searches in SharePoint and OneDrive
Exchange Online activities
These logs allow security teams to identify unauthorized data access, track potential exfiltration of sensitive information, and detect unusual searches for critical files. Integration with SIEM platforms like Sentinel and Splunk ensures that these logs are actionable, enabling advanced threat-hunting and incident response capabilities.
A Collective Push for Stronger Cybersecurity
The 2023 breach underscored the pressing need for enhanced visibility in cloud environments. By democratizing access to critical logging data and providing actionable guidance, CISA and Microsoft aim to close the gap between advanced threats and an organization’s ability to detect and mitigate them.
As Botyánszki noted, “This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”
The new guidance from CISA and Microsoft marks a step forward in equipping enterprises and government agencies with the tools needed to navigate an increasingly complex threat landscape, ensuring better protection for sensitive data and critical operations in the cloud.