Nation-state-sponsored hacking stories are a big part of everyone’s favourite Hollywood movies — that is, until it becomes a real-life story of our own compromised personal or corporate sensitive data ending up on the dark web or in hackers’ hands. In real life, cyber espionage groups’ activities trigger stringent security enforcement. First in the government sector, then the government standards slowly shift, dictating industry norms by gently forcing vendors who are also selling into government contracts.
This is the case when it comes to the recently announced playbook on Microsoft Expanded Cloud Logs Implementation Playbook, issued by the US Cybersecurity and Infrastructure Security Agency (CISA). It all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorised access to email accounts belonging to U.S. government agencies and other organisations. The attackers bypassed security measures using a stolen Microsoft security key to forge authentication tokens. In fact, most attacks use BEC (Business Email Compromise) as a successful entry point in their attack vectors. Why? Because it works.
The fallout in 2023 resulted in Microsoft expanding free logging capabilities for all Purview Audit Standard users – among other changes. Now, realising the necessity for further strengthening defences, CISA has emphasised the transformative potential of Microsoft’s expanded cloud logs for proactive threat detection and provided guidance in the playbook.
Introducing Microsoft’s expanded cloud logs in Microsoft Purview
Microsoft teamed up with CISA in October 2023 to elaborate on the journey and eventually created guidance for government agencies and enterprises on using cloud logs and extending cloud log data sources. Microsoft Purview Audit has now raised the bar with its expanded logging capabilities, empowering organisations to monitor thousands of events across Exchange, SharePoint and Teams. These newly added logs provide deeper insights into user and admin activities. The idea initially came from and was recommended by CISA to mitigate advanced intrusion techniques.
Without collecting and utilising Microsoft’s newly added logs, organisations would miss an opportunity to see what is happening in the “blind spots” of their IT systems.
These are the types of logs that are able to be collected:
- Microsoft Exchange audit logs
- Microsoft SharePoint audit logs
- Microsoft Teams audit logs
- Microsoft Viva Engage audit logs
- Microsoft Stream audit logs
Challenges in operationalising the new log data
Challenges with data volume
As with every log type, collecting, processing, normalising, and shipping cloud logs are not without challenges. Organisations may face notable challenges when trying to operationalise these logs. Without an effective solution, they risk being overwhelmed by the sheer volume of audit events, incurring high storage costs, and struggling to filter relevant data for usable and actionable insights.
Adaptation with existing SIEMs
The need to adapt the SIEM configurations appropriately to process, display data, and trigger alerts based on the newly available logged events is critical. Without logs on security issues, organisations lack real-time alerts for incidents and the ability to trace problems back to their source. Don’t forget: SIEMs are optimised for analytics, but analytics can only be as good as the data sources provided. Failing to incorporate essential data sources leads to incomplete and unreliable analytics.
Filtering relevant data
CISA released a playbook, Microsoft Expanded Cloud Logs Implementation Playbook, regarding Splunk and its own SIEM offering, Microsoft Sentinel. This playbook explains how to use these logs, which mitigates the pain of those using these SIEM technologies. Yet, this playbook does not solve many organisations’ problems and they must seek alternative solutions themselves.
The effort required to adapt existing configurations and systems to handle and extract value from the newly available log events can be overwhelming. Without an accurate understanding of the new log data and appropriate tooling, IT resources, both financial and human, can be exhausted.
Tackling the challenges with Microsoft’s expanded cloud logs
What about those outside of the Microsoft Sentinel and Splunk SIEM ecosystems?
If your organisation uses Microsoft Sentinel or Splunk, you may already have support for these logs — but the reality is often more complex. These are just two of many SIEM solutions available, and most organisations still need to find ways to add these additional data sources and extract meaningful value from their log data.
Every organisation eventually needs to handle logs effectively, requiring a solution tailored to their requirements.
These challenges underline the need for a solution beyond the capabilities of native SIEM integrations. This is where a multi-platform logging solution can come into play. Organisations need the widest data source collection capabilities – from legacy systems through BEC data to cloud apps – that can simplify collecting, filtering and normalising logs from Microsoft technologies, helping them to get the most out of cloud logs.
Real-world benefits of a cross platform logging platform
A solution with advanced log collection, and seamless processing can help organisations efficiently correlate events across Microsoft 365 and beyond, regardless of their preferred SIEM solution. This empowers faster identification of unauthorised email access, unusual searches and potential insider threats. This proactive approach safeguards organizations against advanced cyber threats and can help when it comes to compliance with regulatory requirements.
For example, imagine a mid-sized enterprise dealing with a sudden spike in phishing attempts. By using a cross-platform logging solution, they can collect and process logs with Microsoft Purview Audit to identify unusual email access patterns and flag a potential security breach in near real-time. This proactive approach could prevent further damage and potentially strengthen their overall security posture.
Despite, for now, CISA acknowledging that the implementation might be slightly costly for small and mid-size organisations, it’s likely over time these recommendations will become mandatory requirements. The future changes. There will always be new log sources in an organisation’s IT security journey. Therefore, by adopting this approach, organisations can be ahead of the curve.
Conclusion
CISA’s latest guidance, combined with Microsoft’s expanded logging features, marks a significant advancement in addressing cybersecurity challenges. Integrating these logs with a cross-platform logging solution helps organisations stay proactive against evolving threats while maintaining strong compliance and eliminating security gaps that otherwise make an organisation vulnerable to cyberattacks.
