Microsoft's new expanded logging capabilities could mean big changes for US government devices

News
By
published

New 60-page playbook may change a thing or two about cloud use in government agencies

Image of someone clicking a cloud icon.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • CISA releases new playbook for government firms and enterprises
  • The guidebook addresses expanded cloud logs from Microsoft
  • Microsoft expanded its cloud logs after July 2023 Outlook incident

Microsoft has recently expanded logging capabilities for its cloud services, which could mean significant changes for US government organizations.

In July 2023, a Chinese state-sponsored threat actor, found a way to access email accounts belonging to government officials working in the State Department, and the Department of Commerce. The fallout was major, and resulted in Microsoft expanding free logging capabilities for all Purview Audit Standard users, among other changes.

Now, the US Cybersecurity and Infrastructure Security Agency (CISA) has released its guidance, explaining to government agencies and enterprises how to take advantage of the changes.

The new guidance is a 60-page playbook, so the changes could be quite major.

"These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions," CISA said. "These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios."

The guidance also discusses navigating the expanded logs within Microsoft 365, and using them with both Microsoft Sentinel, and Splunk Security Information and Event Management (SIEM) systems.

In July 2023, the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft's Outlook email system to gain unauthorized access to email accounts belonging to U.S. government agencies and other organizations. The attackers used a stolen Microsoft security key to forge authentication tokens, bypassing security measures.

As a result, Microsoft was forced to revoke the compromised security key, bolster its token validation systems, and enhance transparency by providing detailed incident reports and security updates to affected customers. Additionally, it faced scrutiny over its cloud security practices and was pressured to improve safeguards to prevent similar breaches in the future.

Microsoft also launched its Secure Future Initiative (SFI) in November 2023, a comprehensive cybersecurity program aimed at enhancing security resilience across its products and services. It invested heavily in advanced threat detection, prevention, and response capabilities.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.