Nation-state-sponsored hacking stories are everyone’s favorite Hollywood movies — until our personal or corporate sensitive data shows up on the dark web for sale, being compromised. In real life, cyber espionage groups’s activities trigger security enforcement. First in the government sector, then the government standards slowly shift industry norms starting by gently forcing vendors who are also selling into government contracts.

In the case of the recently announced playbook on MICROSOFT EXPANDED CLOUD LOGS IMPLEMENTATION PLAYBOOK, issued by the US Cybersecurity and Infrastructure Security Agency (CISA), it all started in July 2023, when the Chinese cyber espionage group Storm-0558 exploited a vulnerability in Microsoft’s Outlook email system to gain unauthorized access to email accounts belonging to U.S. government agencies and other organizations. The attackers bypassed security measures using a stolen Microsoft security key to forge authentication tokens. In fact, most attacks use BEC (Business Email Compromise) as a successful entry point in their attack vectors. Why? Because it works.

The fallout in 2023 resulted in Microsoft expanding free logging capabilities for all Purview Audit Standard users, among other changes, and now, realizing the necessity for further strengthening defenses, the Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the transformative potential of Microsoft’s expanded cloud logs for proactive threat detection and provided guidance in the playbook.

Introducing Microsoft’s expanded cloud logs in Microsoft Purview

Microsoft teamed up with CISA in October 2023 to elaborate on the journey and eventually create guidance for government agencies and enterprises on using cloud logs and extending cloud log data sources. Microsoft Purview Audit now has raised the bar with its expanded logging capabilities, empowering organizations to monitor thousands of events across Exchange, SharePoint, and Teams. These newly added logs provide deeper insights into user and admin activities. The idea initially came from and was recommended by CISA to mitigate advanced intrusion techniques.

Without collecting and utilizing Microsoft’s newly added logs, your organization would miss an opportunity to see what is happening in your IT system in those earlier “blind spots.”

These are the types of logs you would be able to collect:

  • Microsoft Exchange audit logs

  • Microsoft SharePoint audit logs

  • Microsoft Teams audit logs

  • Microsoft Viva Engage audit logs

  • Microsoft Stream audit logs

Challenges in operationalizing the new log data

Challenges with data volume

As with every log type, collecting, processing, normalizing, and shipping cloud logs are not without challenges. Organizations may face notable challenges when trying to operationalize these logs. Without an effective solution, they risk being overwhelmed by the sheer volume of audit events, incurring high storage costs, and struggling to filter relevant data for usable and actionable insights.

Adaptation with existing SIEMs

The need to adapt the SIEM configurations appropriately to process, display data, and trigger alerts based on the newly available logged events is critical. Without logs on security issues, organizations lack real-time alerts for incidents and the ability to trace problems back to their source. Do not forget. SIEMs are optimized for analytics, but your analytics can be only as good as the data sources you provide. Failing to incorporate essential data sources leads to incomplete and unreliable analytics.

Filtering relevant data

CISA released a playbook, MICROSOFT EXPANDED CLOUD LOGS IMPLEMENTATION PLAYBOOK, regarding Splunk and its own SIEM offering, Microsoft Sentinel. This playbook explains how to use these logs, which mitigates the pain of those using these SIEM technologies. Yet, this playbook does not solve many organizations' problems, and they must seek solutions themselves.

The effort required to adapt existing configurations and systems to handle and extract value from the newly available log events can be overwhelming. Without an accurate understanding of the new log data and appropriate tooling, IT resources, both financial and human, can be exhausted.

Tackling the challenges with Microsoft’s expanded cloud logs

What about those outside of the Microsoft Sentinel and Splunk SIEM ecosystem?

If your organization uses Microsoft Sentinel or Splunk, you may already have support for these logs — but the reality is often more complex. These are just two of many SIEM solutions available, and most organizations still need to find ways to add these additional data sources and extract meaningful value from their log data.

Every organization eventually needs to handle logs effectively, requiring a solution tailored to their requirements.

These challenges underline the need for a solution beyond the capabilities of native SIEM integrations. This is where a multi-platform logging solution comes into play with one of the industry’s widest data source collection capabilities from legacy systems through BEC data to cloud apps, the NXLog Platform. With extensive experience in collecting, filtering, and normalizing logs from Microsoft technologies, including Sentinel, NXLog Platform simplifies log management for every organization. With over a decade of experience in collecting and managing log data, you can get the most out of your new cloud logs.

Real-World benefits of NXLog Platform

With NXLog Platform’s straightforward setup, advanced log collection, and seamless processing, your organization can efficiently correlate events across Microsoft 365 and beyond, regardless of your preferred SIEM solution. This empowers faster identification of unauthorized email access, unusual searches, and potential insider threats. This proactive approach safeguards your organization against advanced cyber threats and ensures compliance with regulatory requirements. Even though, for now, CISA acknowledges that the implementation might be slightly costly for small and mid-size organizations, only time can tell when these recommendations become mandatory requirements.

For example, imagine a mid-sized enterprise dealing with a sudden spike in phishing attempts. By using NXLog Platform, they can collect and process Microsoft Pureview Audit logs to identify unusual email access patterns and flag a potential security breach in near real-time. This proactive approach could prevent further damage and potentially strengthen their overall security posture.

In addition, you need to consider future changes. Not only will Microsoft propose them, but there will always be new log sources in your IT security journey. NXLog Platform is the solution that can give you peace of mind for being ready for the unseen.

Conclusion

CISA’s latest guidance, combined with Microsoft’s expanded logging features, marks a significant advancement in addressing cybersecurity challenges. Integrating these logs with NXLog Platform helps your organization stay proactive against evolving threats while maintaining strong compliance.

Don’t let gaps in your logging strategy leave your organization vulnerable. Start protecting your data and enhancing your security posture with NXLog Platform — the solution trusted by organizations worldwide.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
Share
Related Posts