Microsoft is extending default retention of audit logs in Purview, part of a wider effort to boost visibility into malicious activity on its platforms after state-linked hackers stole thousands of emails from the U.S. State Department earlier this year.
Starting this month, default retention of security logs in Microsoft Purview Audit will double from 90 to 180 days for standard customers. Default retention for premium license holders will extend to one year, though they have the option to extend to 10 years.
The rollout will begin with worldwide enterprise customers and later extend to government customers.
The rollout was part of a wider security collaboration with the Cybersecurity and Infrastructure Security Agency following the state-linked hacks earlier this year, Microsoft said. The company cautioned that the new policy will not stop future attacks, but will help customers quickly respond to malicious activity.
“It is important to emphasize that log data, while an invaluable resource, is not a preventative measure against cyberattacks,” Rudra Mitra, corporate vice president, Microsoft Data Security and Compliance, said in a blog post last week. “Rather, it plays a pivotal role in incident response by helping uncover auditable insights into the methods by which various entities, such as user identities, applications, and devices interact with a customer’s cloud-based services.”
The logs retain thousands of user and admin activities for Microsoft 365 applications, the company said. Authorized administrators will be able to search the Microsoft Purview Audit compliance portal to determine the scope of any potential attacks.
In July, a cyber espionage group tracked at Storm-0558 hacked the email accounts of about 25 different Microsoft customers by stealing an inactive consumer signing key.
The hackers managed to steal about 60,000 emails from the State Department. Federal officials notified Microsoft about the malicious activity because they had access to security logs and could see what the hackers had done.
Microsoft faced severe backlash from federal officials who raised concerns about the security of the company’s products and how it forced customers to pay additional money to access audit logs.
CISA and the White House have pushed the software industry to make product security a central feature of their products, making sure that products are safe out of the box and that customers are not forced to pay a premium and make complicated configuration changes to ensure their systems aren’t vulnerable to attack.
