CISA shared steerage for presidency businesses and enterprises on utilizing expanded cloud logs of their Microsoft 365 tenants as a part of their forensic and compliance investigations.
Because the cybersecurity company defined, these newly launched Microsoft Purview Audit (Commonplace) logging capabilities help enterprise cybersecurity operations by offering entry to data on crucial occasions comparable to mail despatched, mail accessed, and person searches in Alternate On-line and SharePoint On-line.
“These capabilities additionally permit organizations to observe and analyze hundreds of person and admin operations carried out in dozens of Microsoft providers and options,” CISA mentioned on Wednesday.
“These logs present new telemetry to boost threat-hunting capabilities for enterprise e mail compromise (BEC), superior nation-state risk actions, and attainable insider-risk situations,” the company added.
The 60-page playbook revealed at this time additionally contains steerage on navigating the expanded logs inside Microsoft 365 and ingesting into Microsoft Sentinel and Splunk SIEM (Safety Data and Occasion Administration) programs.
Logs expanded after 2023 Alternate On-line breach
Microsoft expanded free logging capabilities for all Purview Audit normal clients (with E3/G3 licenses and above) beneath strain from CISA after disclosing in July 2023 {that a} Chinese language hacking tracked as Storm-0558 stole emails belonging to senior authorities officers from the State and Commerce departments in an Alternate On-line breach between Could and June 2023.
The risk actors used a Microsoft account (MSA) key stolen from a Home windows crash dump in April 2021 to forge authentication tokens, which gave them entry to focused e mail accounts by way of Outlook.com and Outlook Internet Entry in Alternate On-line (OWA).
Whereas the attackers principally evaded detection, the State Division’s Safety Operations Heart (SOC) detected the malicious exercise utilizing an “in-house detection device” with entry to enhanced cloud logging (i.e., MailItemsAccessed occasions).
Nevertheless, these logging capabilities (particularly MailItemsAccessed occasions with sudden ClientAppID and AppID) have been solely obtainable to clients with Microsoft’s Purview Audit (Premium) logging licenses. This led to widespread business criticism of Redmond for hindering organizations from promptly detecting Storm-0558’s assaults.
Months after the breach, State Division officers revealed that the Chinese language hackers stole over 60,000 emails from division officers’ Outlook accounts after breaching Microsoft’s cloud-based Alternate On-line e mail platform.