This week, CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations:
This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.
The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.
Botond Botyánszki, founder and CTO at NXLog, commented:
“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions and continuous monitoring can help detect and prevent breaches before it’s too late.”
“The release of the “Microsoft Expanded Cloud Logs Implementation Playbook” is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”
“The newly added logs available with Microsoft Purview Audit (Standard) include events such as email items accessed, email items sent, user searches in SharePoint and OneDrive, and Exchange Online activities. These audit logs provide critical visibility into key actions, such as monitoring email access for unauthorized data access, tracking outbound email activity to detect possible exfiltration, and identifying unusual searches for sensitive files. The guidance on integrating these logs with SIEM solutions like Microsoft Sentinel and Splunk ensures that security teams can seamlessly leverage their existing tools for proactive threat hunting and incident response. This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”
Every organization should read this playbook from the CISA as it offers excellent guidance which will help them to better defend against cyberthreats which are always evolving.
Like this:
Like Loading...
Related
This entry was posted on January 17, 2025 at 9:52 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA shares guidance for Microsoft expanded logging capabilities
This week, CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations:
This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.
The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.
Botond Botyánszki, founder and CTO at NXLog, commented:
“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions and continuous monitoring can help detect and prevent breaches before it’s too late.”
“The release of the “Microsoft Expanded Cloud Logs Implementation Playbook” is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”
“The newly added logs available with Microsoft Purview Audit (Standard) include events such as email items accessed, email items sent, user searches in SharePoint and OneDrive, and Exchange Online activities. These audit logs provide critical visibility into key actions, such as monitoring email access for unauthorized data access, tracking outbound email activity to detect possible exfiltration, and identifying unusual searches for sensitive files. The guidance on integrating these logs with SIEM solutions like Microsoft Sentinel and Splunk ensures that security teams can seamlessly leverage their existing tools for proactive threat hunting and incident response. This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”
Every organization should read this playbook from the CISA as it offers excellent guidance which will help them to better defend against cyberthreats which are always evolving.
Share this:
Like this:
Related
This entry was posted on January 17, 2025 at 9:52 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.