Incident Response, Americas, Asia Pacific, Breach, Channel partners, Channel markets, Content, Security Program Controls/Technologies, EMEA, Enterprise, Europe, Malware, Midmarket, Small business, Threat Intelligence, Vertical markets

Microsoft, CISA Collaborate to Expand Cloud Logging After China Email Hack


Microsoft government and commercial customers worldwide will have access to wider cloud logging capabilities free of charge, owing to a collaboration between the vendor and the Cybersecurity and Infrastructure Security Agency (CISA).

The partnership comes one week after word surfaced that China-based hackers covertly tapped into cloud-based email accounts at more than two dozen organizations since May, including two U.S. government agencies. Microsoft has reportedly been criticized by some larger customers who complained that they were unable to detect the cyber operation.

CISA said it first learned of the campaign in mid-June. The agency has previously advocated for corporate customers to better protect themselves against cyberattacks.

The Importance of Data Logs

Vasu Jakkal, Microsoft corporate vice president, wrote in a blog post that log data plays a key role in incident response because it “provides granular, auditable insight into how different identities, applications, and devices access” a customer’s cloud services. As Jakkal explained:

“These logs themselves do not prevent attacks, but they can be useful in digital forensics and incident response when examining how an intrusion might have occurred, such as when an attacker is impersonating an authorized user.”

Commercial and government customers with E5/G5 licenses already using Microsoft Purview Audit (premium subscription) will continue to receive access to all available audit logging events. The expanded logging capabilities now extend to customers with standard agreements for the Purview Audit tools, Jakkal wrote. Microsoft is also increasing the default retention period for Audit standard customers from 90 days to 180 days.

The company will begin rolling out the logging updates in September 2023 to all government and commercial customers.

CISA Lauds Microsoft's Action

CISA said in a bulletin that its operational teams had identified “several security logs critical for detecting and preventing threat activity” that cost extra for organizations using Microsoft’s basic license. CISA director Jen Easterly said Microsoft’s decision to make “necessary log types available to the broader cybersecurity community” will take time to implement:

“After working collaboratively for over a year, I am extremely pleased with Microsoft’s decision to make necessary log types available to the broader cybersecurity community at no additional cost. While we recognize this will take time to implement, this is truly a step in the right direction toward the adoption of Secure by Design principles by more companies. We will continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers.”

Of the expanded log function, Microsoft’s Jakkal said:

“We know customers have multiple issues to consider, including data storage capacity and which Microsoft or third-party log management tools they want to use, and our newly expanding, flexible logging options help customers decide what is best for their requirements.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.