Enhancing Security with Microsoft’s Expanded Cloud Logs

Botond Botyánszki, the Founder, CEO, and CTO at NXLog, examines how Microsoft’s expanded cloud logs can help companies enhance their security. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Nation-state-sponsored hacking stories are a big part of everyone’s favorite Hollywood movies. Until it becomes a real-life story of our compromised personal or corporate sensitive data ending up on the dark web or in hackers’ hands, that is. In real life, cyber espionage groups’ activities trigger stringent security enforcement. First, in the government sector, the government standards slowly shift, dictating industry norms by gently forcing vendors to sell into government contracts.

This is the case when it comes to the recently announced playbook on Microsoft Expanded Cloud Logs Implementation Playbook, issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.S. government agencies and other organizations. The attackers bypassed security measures using a stolen Microsoft security key to forge authentication tokens. In fact, most attacks use BEC (Business Email Compromise) as a successful entry point in their attack vectors. Why? Because it works.

The fallout in 2023 resulted in Microsoft expanding free logging capabilities for all Purview Audit Standard users, among other changes. Now, realizing the necessity for further strengthening defenses, CISA has emphasized the transformative potential of Microsoft’s expanded cloud logs for proactive threat detection and provided guidance in the playbook.

Introducing Microsoft’s Expanded Cloud Logs in Microsoft Purview

Microsoft teamed up with CISA in October 2023 to elaborate on the journey and eventually created guidance for government agencies and enterprises on using cloud logs and extending cloud log data sources. Microsoft Purview Audit has now raised the bar with its expanded logging capabilities, empowering organizations to monitor thousands of events across Exchange, SharePoint, and Teams. These newly added logs provide deeper insights into user and admin activities. The idea initially came from and was recommended by CISA to mitigate advanced intrusion techniques.

Without collecting and utilizing Microsoft’s newly added logs, organizations would miss an opportunity to see what is happening in their IT systems’ “blind spots.”

These are the types of logs you would be able to collect:

• Microsoft Exchange audit logs
• Microsoft SharePoint audit logs
• Microsoft Teams audit logs
• Microsoft Viva Engage audit logs
• Microsoft Stream audit logs

Challenges in Operationalizing the New Log Data

Challenges with data volume

As with every log type, collecting, processing, normalizing, and shipping cloud logs are not without challenges. Organizations may face notable challenges when trying to operationalize these logs. Without an effective solution, they risk being overwhelmed by the sheer volume of audit events, incurring high storage costs, and struggling to filter relevant data for usable and actionable insights.

Adaptation with existing SIEMs

The need to adapt the SIEM configurations appropriately to process, display data, and trigger alerts based on the newly available logged events is critical. Without logs on security issues, organizations lack real-time alerts for incidents and the ability to trace problems back to their source. Don’t forget: SIEMs are optimized for analytics, but analytics can only be as good as the data sources provided. Failing to incorporate essential data sources leads to incomplete and unreliable analytics.

Filtering relevant data

CISA released a playbook, Microsoft Expanded Cloud Logs Implementation Playbook, regarding Splunk and its own SIEM offering, Microsoft Sentinel. This playbook explains how to use these logs, which mitigates the pain of those using these SIEM technologies. Yet, this playbook does not solve many organizations’ problems, and they must seek solutions themselves.

The effort required to adapt existing configurations and systems to handle and extract value from the newly available log events can be overwhelming. Without an accurate understanding of the new log data and appropriate tooling, financial and human IT resources can be exhausted.

Tackling the Challenges with Microsoft’s Expanded Cloud Logs

What about those outside of the Microsoft Sentinel and Splunk SIEM ecosystems?

If your organization uses Microsoft Sentinel or Splunk, you may already have support for these logs, but the reality is often more complex. These are just two of many SIEM solutions available, and most organizations still need to find ways to add these additional data sources and extract meaningful value from their log data. Every organization eventually needs to handle logs effectively, requiring a solution tailored to its requirements.

These challenges underline the need for a solution beyond the capabilities of native SIEM integrations. This is where a multi-platform logging solution can come into play. Organizations need the widest data source collection capabilities—from legacy systems through BEC data to cloud apps—that can simplify collecting, filtering, and normalizing logs from Microsoft technologies, helping them get the most out of cloud logs.

Real-World Benefits of a Cross-Platform Logging Platform

A solution with advanced log collection and seamless processing can help organizations efficiently correlate events across Microsoft 365 and beyond, regardless of their preferred SIEM solution. This empowers faster identification of unauthorized email access, unusual searches, and potential insider threats. This proactive approach safeguards organizations against advanced cyber threats and can help when it comes to compliance with regulatory requirements.

For example, imagine a mid-sized enterprise dealing with a sudden spike in phishing attempts. With a cross-platform logging platform, they can collect and process logs with Microsoft Purview Audit to identify unusual email access patterns and flag a potential security breach in near real-time. This proactive approach could prevent further damage and strengthen their overall security posture.

Despite CISA acknowledging that the implementation might be slightly costly for small and mid-size organizations, it’s likely that over time, these recommendations will become mandatory requirements—the future changes. There will always be new log sources in an organization’s IT security journey. Therefore, organizations can be ahead of the curve by adopting this approach.

Conclusion

CISA’s latest guidance, combined with Microsoft’s expanded logging features, marks a significant advancement in addressing cybersecurity challenges. Integrating these logs with a cross-platform logging solution helps organizations stay proactive against evolving threats while maintaining strong compliance and eliminating security gaps that otherwise make an organization vulnerable to cyber-attacks.