CISA shares guidance for Microsoft expanded logging capabilities
CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations.
As the cybersecurity agency explained, these newly introduced Microsoft Purview Audit (Standard) logging capabilities support enterprise cybersecurity operations by providing access to information on critical events such as mail sent, mail accessed, and user searches in Exchange Online and SharePoint Online.
"These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions," CISA said on Wednesday.
"These logs provide new telemetry to enhance threat-hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider-risk scenarios," the agency added.
The 60-page playbook published today also includes guidance on navigating the expanded logs within Microsoft 365 and ingesting into Microsoft Sentinel and Splunk SIEM (Security Information and Event Management) systems.
Logs expanded after 2023 Exchange Online breach
Microsoft expanded free logging capabilities for all Purview Audit standard customers (with E3/G3 licenses and above) under pressure from CISA after disclosing in July 2023 that a Chinese hacking tracked as Storm-0558 stole emails belonging to senior government officials from the State and Commerce departments in an Exchange Online breach between May and June 2023.
The threat actors used a Microsoft account (MSA) key stolen from a Windows crash dump in April 2021 to forge authentication tokens, which gave them access to targeted email accounts via Outlook.com and Outlook Web Access in Exchange Online (OWA).
While the attackers mostly evaded detection, the State Department's Security Operations Center (SOC) detected the malicious activity using an "in-house detection tool" with access to enhanced cloud logging (i.e., MailItemsAccessed events).
However, these logging capabilities (specifically MailItemsAccessed events with unexpected ClientAppID and AppID) were only available to customers with Microsoft's Purview Audit (Premium) logging licenses. This led to widespread industry criticism of Redmond for hindering organizations from promptly detecting Storm-0558's attacks.
Months after the breach, State Department officials revealed that the Chinese hackers stole over 60,000 emails from department officials' Outlook accounts after breaching Microsoft's cloud-based Exchange Online email platform.
Windows BitLocker bug triggers warnings on devices with TPMs
MikroTik botnet uses misconfigured SPF DNS records to spread malware
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Free online web security scanner
