Microsoft

Microsoft is expanding access to additional cloud logging data for customers worldwide at no additional cost, allowing easier detection of breached networks and accounts.

This wider availability comes after Chinese hackers stole a Microsoft signing key that allowed them to breach corporate and government Microsoft Exchange and Microsoft 365 accounts to steal email.

While it is still unknown how the key was stolen, the US government, who first detected these attacks, used Microsoft's advanced logging data to detect the intrusions and report them to Microsoft.

Historically, these advanced logging capabilities were not available to all Microsoft customers but only to those who paid for licenses to Microsoft's Purview Audit (Premium) logging feature.

Due to this, Microsoft was widely criticized for not providing this additional logging data for free so that organizations could quickly detect advanced attacks.

"While vendors can offer wider logging access at specific cloud licensing levels, this approach makes it harder to investigate intrusions," explained Eric Goldstein, CISA Executive Assistant Director for Cybersecurity.

"Asking organizations to pay more for necessary logging is a recipe for inadequate visibility into investigating cybersecurity incidents and may allow adversaries to have dangerous levels of success in targeting American organizations."

Advanced logging for all

Today, the US Cybersecurity and Infrastructure Security Agency, more commonly known as CISA, announced that it has been working with Microsoft to identify critical logging data points that should be included for all Microsoft customers for free.

Due to these discussions, and likely the recent attacks, Microsoft says that they are expanding access to the premium cloud logging to all customers for free, with more becoming available in September 2023.

"Today we are expanding Microsoft's cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," said Microsoft in a new post on the expanded logging.

"As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise."

To access this data, Microsoft customers can use Microsoft Purview Audit (Standard) to see detailed logs of email access and 30 other data points previously only available to licensed customers.

Microsoft says they are also increasing the default retention period for Audit Standard customers from 90 to 180 days, allowing customers greater historical access to data during incident response investigations.

Microsoft told BleepingComputer that the following thirty-one standard logs that were previously Premium-only are now free:

Exchange

Send, Mail-Items-Accessed,
searchqueryinitiatedexchange

Stream

Streaminvokegettranscript, streaminvokechannelview,
Streaminvokegettexttrack, streaminvokegetvideo,
Streaminvokegroupview

Yammer

Threadviewed, thredaccessfailure,
Messageupdated, fileaccessfailure,
Messagecreation, groupaccessfailure

Teams

Meetingparticipantdetail, messagesent,
Messageslisted, meetingdetail,
Messageupdated, chatretrieved
Messageread, messagehostedcontentread,
Subscribedtomessages, messagehostedcontentslisted,
Chatcreated, chatupdated
Messagecreatednotification, messagedeletednotification,
Messageupdatednotification

SharePoint Online

searchqueryinitiatedsharepoint

However, this does not mean Microsoft Purview Audit (Premium) is going away, with licensed users still getting greater access to data, greater API access,  and access to Microsoft's AI-powered Intelligent Insights forensics tool.

BleepingComputer has contacted Microsoft to learn more about what new data will be accessible for free and will update the article if we get a response.

CISA and the FBI have also released a guide on monitoring and detecting APT activity targeting Outlook Online, a suggested read for all security and email admins.

Related Articles:

Proton launches free, privacy-focused Google Docs alternative

Microsoft pulls Windows 11 KB5039302 update causing reboot loops

Microsoft resumes rollout of Windows 11 KB5039302 update for most users

Get Microsoft certified this summer with $369 off this training bundle

Get certified this summer with $369 off this Microsoft training bundle