- CISA publishes new playbook for public companies and corporations
- The guide covers extended cloud log files from Microsoft
- Microsoft expanded its cloud logs after the July 2023 Outlook incident
Microsoft recently expanded the logging capabilities of its cloud services, which could mean significant changes for US government organizations.
In July 2023, a Chinese state-sponsored threat actor found a way to access the email accounts of officials working in the Ministry of Foreign Affairs and the Ministry of Commerce. The fallout was great and resulted in Microsoft extending free logging capabilities to all Purview Audit Standard users, among other changes.
Now the US Cybersecurity and Infrastructure Security Agency (CISA) has released its guidance explaining to government agencies and businesses how to take advantage of the changes.
Navigating Extended Log Files
The new guide is a 60-page playbook, so the changes can be quite large.
“These capabilities also allow organizations to monitor and analyze thousands of user and administrator actions performed across dozens of Microsoft services and solutions,” CISA said. “These logs provide new telemetry to improve threat hunting capabilities for enterprise email compromise (BEC), advanced nation-state threat activities, and possible insider risk scenarios.”
The guide also discusses navigating the extended logs in Microsoft 365 and using them with both Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems.
In July 2023, Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to US government agencies and other organizations. The attackers used a stolen Microsoft security key to forge authentication tokens and bypass security measures.
As a result, Microsoft was forced to revoke the compromised security key, strengthen its token validation systems, and increase transparency by providing detailed incident reports and security updates to affected customers. In addition, it was scrutinized over its cloud security practices and was pressured to improve security measures to prevent similar breaches in the future.
Microsoft also launched its Secure Future Initiative (SFI) in November 2023, a comprehensive cybersecurity program aimed at improving security resilience across its products and services. It invested heavily in advanced threat detection, prevention and response capabilities.
Via Bleeping Computer
