Following a wide-spread hacking attack on their systems in July, Microsoft has announced that it is extending the Purview Audit log retention capabilities. The breach, which was attributed to the Chinese hacking group Storm-0558, affected a multitude of Exchange and Microsoft 365 corporate and government accounts, with the U.S. State and Commerce Departments being among them. These motivated enhancements will roll out to Microsoft Purview Audit customers in the coming weeks.
It was revealed that the State Department lost at least 60,000 emails from officials' Outlook accounts based in various regions like East Asia, the Pacific, and Europe. In response to pressure from the Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has agreed to broaden access to cloud logging data without additional charge. Prior to this, these logging capabilities were available only to customers with paid Purview Audit (Premium) licenses.
New Measures to Enhance Logging and Data Access
“Starting in October 2023, we began rolling out changes to extend default retention to 180 days from 90 for audit logs generated by Audit (Standard) customers. Audit (Premium) license holders will continue with a default of one year, and the option to extend up to 10 years,” stated Microsoft Purview's Chief Vice President, Rudra Mitra. Mitra adds that these updates help organizations minimize risk by increasing access to historical audit log activity data, a critical component when investigating the aftermath of a security breach incident or dealing with litigation.
By December 2023, customers with Purview Audit (Standard) licenses will also have access to further logs of email access and some 30 other events related to Yammer/Viva Engage, Teams, Exchange, and SharePoint, previously only accessible to Premium-license holders. This is expected to strengthen the ability of organizations to detect and prevent attacks in the future.
Cloud Security Activity Logs Expansion
The final phase of this overhaul is expected to roll out in September 2024 where Microsoft plans to expand the cloud security activity logs for Microsoft Exchange and SharePoint. This will be through the addition of MailItemsAccessed, Send, SearchQueryInitiatedExchange, and SearchQueryInitiatedSharepoint events.
“Audit (Premium) license holders will continue to get longer default retention, broader access to export data, higher bandwidth API access, and logs enriched by Microsoft's AI-powered intelligent insights,” Mitra concluded. These upgrading measures are set to enhance overall cyber security and ensure that similar security breaches are efficiently thwarted in the future.