US federal agencies get first crack at expanded Microsoft 365 logging capabilities

read On April 8th, 2024, you can read this blog section for around 7 minutes.

Securing your computer network is crucial to protect your information from cyber attacks. It is important to implement security practices and use security software to safeguard your network. By applying security practices, such as regularly updating passwords, limiting user access, and monitoring network activity, you can decrease the risk of a breach. Additionally, utilizing security software like antivirus, firewalls, and intrusion detection systems can help identify and prevent attempts to compromise your network. Remember that network security is a continuous process. Don't let your guard down and always be vigilant against potential threats. By staying proactive and investing in security measures, you can ensure your network is protected and your sensitive information remains safe from harm.

Microsoft has introduced fresh guidelines that entail modifications to the logging process, which could demand some alterations to uphold a strong cybersecurity stance.

If you are responsible for security measures at a United States government department, it is important to take advantage of Microsoft's newly announced enhanced logging features.

Even though CISA and Microsoft are making headway with meeting the logging requirements of government clients, individuals and organizations outside of that realm will have to use the trial versions of Purview for extra logging purposes during investigations.

It is unknown at this time when Microsoft plans to introduce this extra logging feature to their customers who are not using Purview.

In its blog post, Microsoft announced that it, along with CISA, will furnish the Microsoft Expanded Cloud Log Implementation Playbook. This playbook will offer a comprehensive examination of all the fresh log events, along with their potential use cases for backing the hunting and incident response activities at your entity.

According to Microsoft, federal organizations will have access to a wider range of logging capabilities without needing to activate them manually. However, two specific capabilities, SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint, will not be readily available and will require some extra steps to activate.

Please take note that there may be a need for management planning when it comes to the way you handle log files with your existing storage and security information and event management (SIEM) system. The size of the logs will considerably increase with an expansion in logging. Therefore, if you presently store these logs, it is best to prepare ahead for both the impact on device performance and the increase in size.

The logs that are extra will be automatically kept in Purview Compliance for a period of 180 days. This shows a growth from the previous regular default of 90 days.

Although it is advised to have SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint activated, it is also wise to prepare for extra storage and potential bandwidth modifications that may be necessary for those features.

More Logging Coming Soon For Microsoft Purview License Holders

The logging feature of Purview by Microsoft will be made available to more users who are not tied to the federal government in the near future.

According to Microsoft, Purview Audit's regular users will now create four fresh events relating to Microsoft Exchange and SharePoint which were previously exclusive to Audit Premium subscribers. These events include MailItemsAccessed, Send, SearchQueryInitiatedExchange, and SearchQueryInitiatedSharepoint. The logs will vary depending on the user's license, while Exchange logs will also contain extra metadata once the user is given an Audit Premium license, such as SensitivityLabel for MailItemsAccessed.

Take note that MailItemsAccessed can inform an investigator if an intruder has perused an email or file. This makes it critical in figuring out precisely what information the intruder was able to view and pilfer. Further improvements to this feature are anticipated to be released by mid-2024.

The Microsoft Purview platform is enhancing its monitoring capabilities for Teams. According to Microsoft, the new update will provide increased accessibility to cloud security activity events for Microsoft Teams. The modifications will also enable standard users of Purview Audit to produce 15 fresh Microsoft Teams events that were previously only available to Audit Premium licensed users.

Microsoft has announced that they will be offering the following events to all Audit Standard users from now on:

For the past few months, Microsoft has been gradually introducing its Copilot artificial intelligence system. It has now made it accessible without the demand of a minimum of 300 licenses. If you are a customer in the business premium level, you can take advantage of it, and if you only want a single license, you may purchase one.

Before implementing Copilot or any other new technology in Microsoft 365, it's important to evaluate the permissions and configurations. Copilot could potentially disclose resources and documents that the users were previously unaware of. For businesses that follow traditional file storage methods, Copilot in Word and Outlook won't be able to review the data that's been kept.

This technology depends upon the Microsoft Graph along with the user's authorizations to access files that are kept in the cloud. In case you have not enacted any measures to restrict the user's privileges in any cloud storage area, then you might unknowingly disclose sensitive data to them.

Just like with the issue of logging in Exchange, if you don't have the right licenses, you'll have to use Purview trial versions to look into and/or erase data from the Copilot infrastructure that wasn't meant to be indexed.

AI Testing & Policies: Ensure Proper Implementation

When dealing with anything related to artificial intelligence, I suggest setting up a test project and developing policies that establish what is acceptable within your company. Various forms of technology are incorporating AI, and it's possible that your users are already using AI tools in their interactions, even if you haven't officially launched any tools or technologies.

Make sure to have trial runs and a team dedicated to testing your company's policies and procedures. To assess your preparedness, take a look at the Usage reports in the Microsoft 365 admin center for Microsoft Copilot for Microsoft 365. This report will offer a summary of how advanced your company is in utilizing this technology.

Take note that if you opt out of utilizing the Current channel for Office and instead choose to use the slower updating channels such as the semi-annual enterprise channel, these channels are not backed by the Microsoft Copilot for 365. Keep in mind the influence of patching channels on Copilot.

"Reviewing Other Cloud Services: Microsoft's New Capability"

Microsoft knows that we don't only rely on their cloud, but we use various other cloud services as well. For this reason, they are developing Purview to be able to detect risks such as insider threats, intellectual property theft, and other indicators of risk across a variety of cloud services, including Azure, AWS, and other software as a service applications.

Assailants are leveraging cloud-based file-sharing platforms like Box, Google Drive, and Dropbox to disseminate bait and phishing URLs among corporations. Purview plans to incorporate its Insider Risk Management gateway, catering to these diverse cloud services, and will roll out this feature in March 2024.

Microsoft will be launching a new feature called Microsoft Purview, which will allow users to preview a service that can detect any offensive or inappropriate communication that takes place between the managers of your company. This means that if you have Communication Compliance classifications in Azure Active Directory, you can expect to see this new service roll out for you sometime in 2024. The purpose of this service is to monitor any communication that takes place between higher-ups and flag any inappropriate language. To maintain anonymity, usernames will remain pseudonymized, and all investigations will have to go through an administrative review process.

Microsoft 365 is still undergoing some changes and advancements, and it's important for security teams to stay alert and take proactive measures to protect sensitive data. If you haven't implemented a more robust logging system, it's a good idea to explore your options now.

Be sure to sign up for our newsletter if you want to stay in the loop about our latest news and updates. By subscribing, you'll receive regular emails with all sorts of information, including exclusive promotions, events, giveaways, and more. Don't miss out on this amazing opportunity to stay connected with us and be the first to hear about all the exciting things happening in our world. Simply enter your email address and hit the subscribe button to join our community today!

Get Editor's Picks Via Email

Begin by providing your email address in the space below.

Susan Bradley is an experienced professional when it comes to patching. She has been doing it for a long time, even before the Code Red/Nimda days. When SQL Slammer hit, she was trying to buy something on eBay and was wondering why the internet was so slow. Currently, she writes the Patch Watch column for Askwoody.com, moderates the PatchManagement.org listserve, and contributes a column on Windows security tips for CSOonline.com. In her daily life, she is in charge of IT at Tamiyasu, Smith, Horn and Braun, where she manages a diverse range of devices, including Windows servers, Microsoft 365 deployments, Azure instances, desktops, Macs, iPads, iPhones, and Surface devices. She also conducts forensic computer investigations for the litigation consulting arm of the company. Susan blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is active on Twitter at @sbsdiva. She keeps an eye on Twitter and Facebook, so if you are on Facebook with her, she does read what you post. Susan has a SANS/GSEC certification in security, and she prefers using Heavy Duty Reynolds wrap for her tinfoil hat.

"Enhance Your Writing: Tips From An Expert Author"

For the blog section, we have an Advisory CISO, a member of the Orca Security team, and a Contributing Writer.