Hi All,
CISA just published CISA Microsoft Expanded Cloud Logs Implementation Playbook
This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.
The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------