Data-driven decision-making: The power of enhanced event logging

Casey Kahsen, senior technical specialist for incident response, threat hunting, and critical Infrastructure at Microsoft, is an accomplished information security professional with more than 15 years of experience in the government, international, critical infrastructure and private sectors. Specializing in malware analysis, digital forensics, incident response, and cyber threat intelligence, Kahsen has effectively enhanced national cybersecurity measures and international partnerships.

In an era where cyber threats loom large, safeguarding our nation’s digital infrastructure is paramount. The Biden-Harris administration’s commitment to bolstering security measures has catalyzed a concerted effort to enhance event logging across federal agencies. In particular, the administration has focused on advancing secure-by-design and secure-by-default (SbD-D) principles.

Event logs are critical in increasing an agency’s visibility before, during and after a cybersecurity incident. While not a preventative measure, event logs provide deeper insight to understand a threat actor’s intentions, which can aid in informing future defenses. By collecting more types of log data and storing it for longer periods, agencies can better uncover auditable insights into how user identities, applications, and devices interact with their cloud-based services. This also offers a window into how adversaries might exploit each entity.

Similarly, SbD-D fortifies security baselines by ensuring security is integrated throughout the software development lifecycle and that products are as secure as possible out of the box without requiring additional configurations.

To that end, Microsoft has engaged in a joint working group with the Cybersecurity and Infrastructure Agency (CISA), the Office of Management and Budget (OMB), the Office of the National Cyber Director (ONCD), and the Executive Office of the President (EOP) to increase default access to Microsoft’s enhanced logging capabilities across the federal government. This working group brings world-class resources from all participating members to a single table. As part of this effort, we are expanding cloud logging through Microsoft Purview Audit to provide all US government agencies (federal, state, local) unparalleled visibility at no additional cost. Keep reading for more details. The target goal for completing this project is June 2024.

How Microsoft is working to expand default event logging across the federal government

When the Biden-Harris administration first released its Memorandum on Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31) in August 2021, it signaled the importance of expanded event logging in driving greater federal security best practices. M-21-31 lays forth a series of logging maturity levels differentiated by the types of data collected. It also sets certain retention requirements for active and long-term data storage.

Recognizing the need for close collaboration between the public and private sectors early on in this effort, Microsoft joined CISA, OMB, ONCD, and the EOP in forming the Joint Working Group for Enhanced Logging (JWG-EL). This group aims to provide the government with transparency, visibility, and true partnership in collaboration through Microsoft’s logging rollout project. Thus ensuring that all U.S. federal customers receive these critical enhanced logging capabilities on time. Identifying and defending against our nation’s most advanced cyber threats depends on this project’s success. Its importance cannot be overstated.

Microsoft’s enhanced logging capabilities provide benefits encompassing two key areas.

First, Microsoft has extended default log retention to 180 days from 90 days for all Audit Standard customers. Second, Microsoft is adding 30 additional audit logs to the Audit (Standard) license. Initially only available under Audit (Premium), these additional logs provide deep insights on user behavior and event monitoring across Exchange, SharePoint, Teams, Viva Engage, and Streams M365 Workloads. The capabilities provided by these logs are invaluable in efficiently detecting attacks from low-level cybercrime to the most advanced nation-state threat actors alike. These logs bring to bear capabilities for cyber defenders to:

• Identify when email inboxes have been accessed and by whom (MailItemsAccessed)
• Differentiate between legitimate mailbox and threat actor access (MailItemsAccessed + SessionId)
• Identify emails sent from your environment (e.g., phishing, spear phishing) (Send)
• Discover search terms used by a threat actor against your mailboxes (UserSearchQueryInitiatedExchange)
• Discover search terms used by a threat actor against your SharePoint sites (UserSearchQueryInitiatedSharePoint)

With this level of insight, defenders can shift their analytical efforts to the threat actor’s behavior and focus less on the more ephemeral, traditional indicators (IP addresses, domains, hashes, etc.). Identifying which users were compromised and the files and folders of interest provides an unprecedented understanding of threat actor intent (e.g., sensitive projects, business & contract negotiations, cybersecurity capabilities, etc.). This degree of capability can facilitate an understanding of the threat actor’s intentions and possible motives—foundational elements for accurate predictive analysis.    

Agencies with these logs meet the Tier-3 (EL3) User Behavior Monitoring criteria under M-21-31 for their Microsoft 365 environments. These logs are being provided at no additional cost to Audit (Standard) license holders, and nearly all will be enabled by default in keeping with Microsoft’s commitment to SbD-D (Note: UserSearchQuery logs will still require a PowerShell script to be executed on a per-user basis to enable).

However, it should be noted that providing expanded logging and enabling it by default is not sufficient as an all-in-one security solution. Agencies must also commit to operationalizing the data provided by these logs to fully capitalize on their potential.

What steps can agencies take to operationalize enhanced logging capabilities?

As JWG-EL moves into the next phase of its work, the focus will be operationalizing the new logging capabilities. Underutilized capabilities (i.e. paying for a service and not using it) are a serious concern, especially in cybersecurity. Microsoft and the JWG-EL are committed to ensuring that federal agencies are well-equipped to harness the full potential of the enhanced logging capabilities—underscoring the importance of education and clear, actionable guidance.

During phase two, JWG-EL will ensure agencies know what to do with these logs once they are enabled and available. To that effect, Microsoft is working on a joint playbook in close collaboration with CISA to teach agencies how to implement and understand the additional logging capabilities provided under Audit (Standard). This playbook will incorporate lessons learned from the early adopter agencies. It will guide agencies in using the expanded logs to hunt for and identify the most advanced cyber threat actors targeting our country. The playbook is expected to be completed in Q1 2024.

Microsoft has worked closely with CISA to expand the types of security log data we provide to cloud customers for insight and analysis. In doing so, we can better protect our customers and increase the secure-by-default baseline of our cloud platforms.

We look forward to continued collaboration with CISA and the broader federal government as we work to advance built-in security and create safer digital experiences for all. Read our latest announcement for more information on our strategic collaboration and unwavering commitment to a more secure digital future.

This article was underwritten by Microsoft and Merritt Group.