The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft, announces today the release of Microsoft Expanded Cloud Log Implementation Playbook. This guidance helps public and private sector organizations using Microsoft Purview Audit (Standard) to operationalize newly available cloud logs to be an actionable part of their enterprise cybersecurity operations.
The playbook provides guidance on each newly available log and how these logs can be enabled and operationalized to support threat hunting and incident-response operations. It provides organizations with scenario-based analysis on the common tactics related to identity-based compromises. It also provides best practices to navigate M365 logs and perform administrator actions to enable the logs to help cyber defenders detect malicious activity.
“CISA is pleased to provide this playbook to help organizations effectively use newly introduced Microsoft security logs to strengthen their cyber defense. We value the collaboration with our government partners and Microsoft which informed this valuable resource,” said CISA Director Jen Easterly. “Necessary security logs are critical for all organizations to protect their networks. We are pleased to see this progress and continue work to ensure greater adoption of Secure by Design principles.”
“Today’s release of the playbook is a result of close collaboration with our federal and private sector partners,” said National Cyber Director Harry Coker Jr. “The upgraded logging features available will enable network defenders to enhance their threat detection capabilities. Every organization should bolster their security and this playbook is another step in the right direction to achieve those goals.”
“With the final publication of the Enhanced Logging Playbook, we are not only providing the critical tools to detect ever-evolving cyber threats through advanced audit logs, but providing the resources necessary to help our defenders to effectively leverage these tools to protect their networks,” said Candice Ling, Senior Vice President, Microsoft Federal. “Microsoft remains committed to partnering with the federal government to prioritize security above all else.”
In 2023, Microsoft announced expanded cloud logging for public entities using Microsoft Purview Audit (Standard) regardless of Microsoft license tier. Last year, CISA announced that Federal Civilian Executive Branch agencies had expanded cloud logging capabilities. Previously, these logs were only available to Audit Premium subscription customers.
The original announcement can be found here.