CISA, OMB, ONCD and Microsoft collaborate on new logging playbook for Federal agencies

As part of our efforts to increase security defaults and follow the principle of secure by design, we are happy to share that a feature change initiated by Microsoft engineering will enable more logging capabilities for Purview Audit (Standard). We have worked closely with the Executive Office of the President (EOP), the Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize this effort for U.S. government customers. This data will provide new telemetry to assist in meeting OMB 21-31 logging requirements for customers without E5 capability. This data enhances threat hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider risk scenarios. We are striving to ensure your organization can leverage these additional audit capabilities as quickly as possible. To assist in this, Microsoft and CISA will also be providing the Microsoft Expanded Cloud Log Implementation Playbook which will provide an in-depth look at each of the new log events and how they can be used to support hunting and incident response operations at your organization.  

CRITICAL INFORMATION: 

There are no prerequisite actions for your organization. These added logging capabilities will be enabled by default (excluding SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint, see below).    

1. Unified Audit Log (UAL) Ingestion Size 
   1. The expanded logging capabilities will significantly increase (up to 10x) the data flowing into your SIEM or other security appliance if you are currently ingesting Office 365 Unified Audit Logs (UAL) 
   2. Your organization should plan accordingly during your Extract, Transform, and Load (ETL) processes to ensure no unexpected expenses occur for your SIEM 
2. Retention  
   1. At a minimum, Microsoft will log and store on your behalf for 180 days in Purview Compliance and no additional action is required for that change. 
   2. This is an increase from 90 days for previous Audit Standard customers 
3. SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint: 
   1. These are critical log events necessary for capturing threat actor behavior outlined in the Microsoft Expanded Cloud Log Implementation Playbook 
   2. These log events are not enabled by default – it is strongly recommended to enable them as outlined in the Microsoft Expanded Cloud Log Implementation Playbook and in Step 4: Enable Audit (Premium) events. 

BACKGROUND:  

Vasu Jakkal recently announced an expansion of Microsoft’s cloud logging accessibility in her blog post Expanding Cloud Logging to Give Customers Deeper Security Visibility. This message was reinforced by Rudra Mitra in a follow-up blog post Expanding Audit Logging and Retention within Microsoft Purview for Increased Security Visibility. If you have not done so, please take a moment to read about the changes, this blog covers at a high level the context for the initiative. This change will impact government departments & agencies who do not currently have access to Microsoft Purview Audit Premium (E5/G5/Compliance Mini-Suite). And for those that do have Audit Premium, they will retain the additional capabilities of intelligent insights and extended retention periods, in addition to higher bandwidth and prioritized access to the API. 

The new logging capabilities will now offer government Microsoft M365 E3 customers the ability to gain insights into detailed logs pertaining to the access of email (via MailItemsAccessed), and to the user entered search strings in both SharePoint and Exchange (via UserSearchQueries) if configured.  This data will provide you with powerful insights to hunt for and detect both business email compromise (BEC), advanced nation state threats, and insider risks that seek to gain access to your organization’s most sensitive information.  

To aid in operationalizing these added capabilities, Microsoft has partnered with CISA to jointly publish the Microsoft Expanded Cloud Log Implementation Playbook. The intent of this playbook is to provide cyber defenders with an overview of the critical logging events that have been added, including descriptions, data fields, and insights on their usability from a forensics and incident response perspective. The playbook also highlights key instructions for enabling SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint and ensuring that other log events have not been inadvertently disabled (including instructions for re-enabling). Lastly, the playbook provides a threat actor behavior driven approach for leveraging the added logging capabilities in detecting even the most advanced state-sponsored activities. These behaviors include Credential Access, Exfiltration, and Impact providing both proactive and reactive analytical methodologies for each. In addition, the playbook provides cyber defenders with KQL-based Advanced Hunting queries which can be used as a template for detecting the threat actor behaviors described in the scenario. Although it is not an all-encompassing document, this playbook is designed to be a force multiplier for our U.S. government partners, ensuring they are leveraging this data to the fullest extent possible.    

This shift to provide increased logging for all customers worldwide will take time. A phased rollout approach will be utilized to ensure that backplane capacities and other performance metrics are closely monitored. However, we have prioritized our federal customers, and we are striving to ensure those who are not currently leveraging an E5 license receive this logging expansion as quickly as possible. This communication is to inform our government partners that all remaining customers in GCC, GCC-H, and DoD environments will be receiving these expanded logging capabilities in a staggered deployment over the next 30 days.  

About the Author 

Casey Kahsen is an accomplished information security professional with over 15 years of experience across government, international, critical infrastructure, and private sectors. Specializing in malware analysis, digital forensics, incident response, and cyber threat intelligence, Casey has effectively enhanced national cybersecurity measures and international partnerships. His expertise in leading technical teams through the full spectrum of onsite hunt and incident response engagements demonstrates a strategic balance of operational excellence, innovation, and skill development.

In his career, Casey has been instrumental in executing high-impact incident response and proactive hunt operations within significant U.S. Federal entities, managing complex environments of over 250,000 endpoints. Including a pioneering a methodology for nation-state cyber campaign documentation and tracking, which was leveraged by U.S. departments and shared with international allies for improved cyber defensive strategies.

In his current role at Microsoft, Casey is part of the Federal Security team, where he is a Sr. Technical Specialist focusing on incident response, threat hunting, and critical infrastructure. In this role, he supports the US Federal Government in their most complex cybersecurity challenges. Ensuring effective communication, collaboration, and problem solving skills are applied to combating our nation’s most persistent cyber threats.