Today, CISA released the Microsoft Expanded Cloud Logs Implementation Playbook to help organizations get the most out of Microsoft’s newly introduced logs in Microsoft Purview Audit (Standard). This step-by-step guide enables technical personnel to better detect and defend against advanced intrusion techniques by operationalizing expanded cloud logs.
The playbook details analytical methodologies tied to using these logs. Specifically, the playbook offers:
- An overview of the newly introduced logs in Microsoft Purview Audit (Standard) that enable organizations to conduct forensic and compliance investigations by accessing critical events (e.g., mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online).
- A description of administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems.
- A discussion of significant events in other M365 services, such as Teams.
CISA encourages organizations to use the playbook to make newly available logs an actionable part of their enterprise cybersecurity operations.
This article has been indexed from All CISA Advisories