Source: US Department of Homeland Security
Guides organizations with using new logging capabilities to detect and defend against sophisticated cyber threat actors
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft, announces today the release of Microsoft Expanded Cloud Log Implementation Playbook. This guidance helps public and private sector organizations using Microsoft Purview Audit (Standard) to operationalize newly available cloud logs to be an actionable part of their enterprise cybersecurity operations.
The playbook provides guidance on each newly available log and how these logs can be enabled and operationalized to support threat hunting and incident-response operations. It provides organizations with scenario-based analysis on the common tactics related to identity-based compromises. It also provides best practices to navigate M365 logs and perform administrator actions to enable the logs to help cyber defenders detect malicious activity.
“CISA is pleased to provide this playbook to help organizations effectively use newly introduced Microsoft security logs to strengthen their cyber defense. We value the collaboration with our government partners and Microsoft which informed this valuable resource,” said CISA Director Jen Easterly. “Necessary security logs are critical for all organizations to protect their networks. We are pleased to see this progress and continue work to ensure greater adoption of Secure by Design principles.”
“Today’s release of the playbook is a result of close collaboration with our federal and private sector partners,” said National Cyber Director Harry Coker Jr. “The upgraded logging features available will enable network defenders to enhance their threat detection capabilities. Every organization should bolster their security and this playbook is another step in the right direction to achieve those goals.”
“With the final publication of the Enhanced Logging Playbook, we are not only providing the critical tools to detect ever-evolving cyber threats through advanced audit logs, but providing the resources necessary to help our defenders to effectively leverage these tools to protect their networks,” said Candice Ling, Senior Vice President, Microsoft Federal. “Microsoft remains committed to partnering with the federal government to prioritize security above all else.”
In 2023, Microsoft announced expanded cloud logging for public entities using Microsoft Purview Audit (Standard) regardless of Microsoft license tier. Last year, CISA announced that Federal Civilian Executive Branch agencies had expanded cloud logging capabilities. Previously, these logs were only available to Audit Premium subscription customers.
Secure by Design is integral to helping organizations better defend their networks from malicious cyber actors. With our government and industry partners, CISA continues our work to ensure every organization has access to key security data by default and products that are secure by design.
Organizations using Microsoft E3/G3-and-above licensing are encouraged to review this guide.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.