If you happen to be in charge of security posture at a US federal agency, you will want to ensure that you have jumped on the increased logging capabilities that Microsoft recently announced are coming to these organizations.
While the US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft are making progress on these government customers and their logging needs, everyone else will have to rely on trial versions of Purview to perform additional logging needed in the case of investigations.
It’s unclear when Microsoft will roll out this additional logging to its non-Purview customer base.
“Microsoft and CISA will also be providing the Microsoft Expanded Cloud Log Implementation Playbook which will provide an in-depth look at each of the new log events and how they can be used to support hunting and incident response operations at your organization,” Microsoft said in its blog post.
As Microsoft notes, these expanded logging capabilities will be enabled by default for federal organizations. Two of them, SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint, will not be enabled by default and will require additional action.
Microsoft’s new logging may require extra planning
But be aware that your processes for ingesting log files with your current SIEM and storage of these log files may need some management planning. The expansion of logging will increase the log size significantly, so if you currently store these logs, plan ahead for an increase in size as well as performance impact on devices and throughput.
These additional logs will be stored by default in Purview Compliance for 180 days. This is an increase from the previous default standard of 90 days.
While it’s recommended that SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint are enabled, it would also be prudent to plan for additional storage and possible bandwidth adjustments that will need to be made for them.
Microsoft Purview license holders to get additional logging soon
Microsoft will be expanding access to additional logging for current non-federal users of Purview in the months ahead.
As Microsoft notes: “Standard users of Purview Audit will begin to generate four new Microsoft Exchange and SharePoint events that were previously generated only for Audit Premium licensed users: MailItemsAccessed, Send, SearchQueryInitiatedExchange, and SearchQueryInitiatedSharepoint. The following logs will differ based on the user’s license and additional metadata will be added to Exchange logs when the user is assigned an Audit Premium license: SensitivityLabel for MailItemsAccessed.”
Be aware that MailItemsAccessed allows an investigator to know if an attacker has actually read a mail item or document, and thus it’s often key to determining exactly what attackers were able to look at and extract. It’s expected that more updates to this will be rolled out in mid-2024.
Similarly, Teams will be getting additional logging. As Microsoft noted: “Microsoft Purview is expanding access to wider cloud security activity events for Microsoft Teams. As part of the changes, standard users of Purview Audit will begin to generate 15 new Microsoft Teams events that were previously generated only for Audit Premium licensed users.”
According to Microsoft, the following events will now be provided for all Audit Standard users:
- MeetingParticipantDetail
- MessageSent
- MessagesListed
- MeetingDetail
- MessageUpdated
- ChatRetrieved
- MessageRead
- MessageHostedContentRead
- ChatCreated
- ChatUpdated
- MessageCreatedNotification
- MessageDeletedNotification
- MessageUpdatedNotification;
- SubscribedToMessages
- MessageHostedContentsListed
The Copilot AI tool can also introduce security risks to Microsoft 365
Microsoft has been rolling out its Copilot artificial intelligence platform for several months and now offers it up without the requirement of a 300-license minimum — customers in the business premium tier can take advantage of it and single license purchases are available.
But before rolling out Copilot, or any new technology in the Microsoft 365 suite, one needs to review permissions and settings. Copilot in particular may expose users to resources and files they were not aware that they had access to. If you are a firm with traditional file storage, Copilot in Word and Outlook won’t be able to review the information you have stored.
The technology relies on Microsoft Graph and the permissions the user has on files stored in the cloud. If you have not taken steps to limit user rights in a cloud storage location, you may inadvertently expose sensitive information to your users.
Similar to the Exchange logging situation, unless you have the proper licenses in place, you will need to rely on trial versions of Purview in order to investigate and/or remove data from the Copilot infrastructure that you didn’t intend to have indexed.
Make sure AI testing and policies are in place
My recommendation in regard to anything with artificial intelligence is to ensure that you have a testing project in place and appropriate policies regarding what is acceptable in your firm. AI is being placed in many technologies and you may not realize that your users already have the ability to use AI tools in their interactions even without rolling out official tools and technologies.
Ensure that you have pilot projects and a testing team already working on your policies and procedures. You can review your readiness in the Microsoft 365 admin center: Usage reports – Microsoft Copilot for Microsoft 365 which gives you an overview of your Company readiness for this technology.
Susan Bradley
Note that if you do not use the Current channel for Office and rely instead on slower updating channels such as the semi-annual enterprise channel, these are not supported for Microsoft Copilot for 365 — be aware of patching channels and their impact on Copilot.
Microsoft to provide review capability for other cloud services
Microsoft also is aware that we don’t just use their cloud, but many other cloud services. Thus, Purview is also being enhanced with the capacity to review for insider risks, IP theft, and other risk indicators across multiple cloud services such as Azure, AWS and other SaaS applications.
Attackers are using such cloud file sharing services as Box, Dropbox, and Google Drive to provide lures and phishing links across organizations. Purview is adding its Insider Risk Management portal to support these multi-clouds starting in March 2024.
Microsoft Purview will also preview a service that will review and detect if there is offensive or inappropriate communications going on between managerial levels. If your firm includes Communication compliance classifications in Azure Active Directory, starting in mid-2024, Microsoft will roll out a preview of a service to monitor such communication and flag inappropriate language. The usernames will be pseudonymized and investigations will be approved by an administrative review.
Microsoft 365 is truly a work in progress and security teams need to be proactive and vigilant for the impact of changes and new features on security posture and the exposure of sensitive information. If you do not currently have enhanced logging, you need to review your options accordingly.