Microsoft extends Purview Audit log retention after July breach


Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July.

The list of affected organizations included government agencies in the U.S. and Western European regions, with the U.S. State and Commerce Departments among them.

The State Department revealed last month that the attackers stole at least 60,000 emails from Outlook accounts belonging to officials stationed in East Asia, the Pacific, and Europe.

Microsoft disclosed that the hacking group used a consumer signing key obtained from a Windows crash dump after compromising the corporate account of a Microsoft engineer. This key was used to hack into Exchange Online and Azure Active Directory (AD) accounts, giving them access to government email accounts.

The changes to audit logging retention announced today will roll out to Microsoft Purview Audit customers with Standard licenses in the coming weeks, starting with enterprise tenants this month and government customers in November.

“Starting in October 2023, we began rolling out changes to extend default retention to 180 days from 90 for audit logs generated by Audit (Standard) customers. Audit (Premium) license holders will continue with a default of one year, and the option to extend up to 10 years,” said Microsoft Purview CVP Rudra Mitra.

“This update helps all organizations minimize risk by increasing access to historical audit log activity data that is critical when investigating the impact from a security breach incident or accommodating a litigation event.”

Critical logging data points for all

Under pressure from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has also agreed to broaden access to cloud logging data at no cost, which would help network defenders identify similar breach attempts in the future.

Before, such logging capabilities were exclusively accessible to customers with paid Purview Audit (Premium) licenses. Because of this, Microsoft faced widespread criticism for impeding organizations’ capabilities to detect Storm-0558’s attacks.

Starting December 2023, Microsoft customers with Purview Audit (Standard) licenses will also have to access additional logs of email access and 30 other Yammer/Viva Engage, Teams, Exchange, and Sharepoint events previously only available to customers with Premium licenses.

The extra logging data will be available following a staged rollout process. The last phase will be reached in September 2024 when the company will start expanding cloud security activity logs for Microsoft Exchange and SharePoint with the addition of MailItemsAccessed, Send, SearchQueryInitiatedExchange, and SearchQueryInitiatedSharepoint events.

“Microsoft has worked closely with CISA to identify these critical logs and include them in our Microsoft Purview Audit (Standard) license,” Mitra said.

“Audit (Premium) license holders will continue to get longer default retention, broader access to export data, higher bandwidth API access, and logs enriched by Microsoft’s AI-powered intelligent insights.”



Source link