Microsoft extends Purview logging (after Storm-0558 hack)

[German]Following the devastating hack of Microsoft Cloud (Exchange Online and Outlook accounts were compromised by the Storm-0588 group), the vendor had already released its previously paid access to Microsoft Purview audit logs for free use by customers. Then, effective Oct. 18, 2023, Microsoft announced expanded audit logging and retention in Microsoft Purview. This is intended to provide greater security transparency, according to the vendor.


In July 2023, Microsoft had released the previously paid access to the Audi logging Purview Logging for free use by its customers after pressure from the US security authority. Since September 2023, access to Microsoft Purview audit logs has been available to customers around the world.

Expanding auditing with Purview

In blog post Expanding audit logging and retention within Microsoft Purview for increased security visibility, dated October 18, 2023, Microsoft announces more innovation (Bleeping Computer noticed it first).

  • Starting in October 2023, Microsoft has begun extending the retention period for audit logs created by Audit (Standard) customers from 90 to 180 days.
  • For Audit (Premium) license holders, the standard retention period of one year will continue to apply, with the option to extend it up to 10 years.

Microsoft's public roadmaps detail when the changes, beginning for enterprise customers worldwide, followed by government customers, will reach specific organization for log retention.

Customers with Purview Audit (Standard) licenses are expected to gain access to additional logs of email access and 30 other Yammer/Viva Engage, Teams, Exchange and Sharepoint events, previously available only to customers with Premium licenses, starting in December 2023.

The additional logging data will be deployed in a staggered rollout process, with the final phase being reached in September 2024. At that time, Microsoft will begin adding MailItemsAccessed, Send, SearchQueryInitiatedExchange and SearchQueryInitiatedSharepoint events to its cloud security activity logs for Microsoft Exchange and SharePoint.


This move is designed to help all organizations mitigate risk by enabling customers to access audit log data recorded by Purview to investigate and prove access to accounts and data in the event of a security breach or litigation.

Microsoft Purview Logging

Microsoft Purview records daily audit logs of thousands of user and admin activities that take place in Microsoft 365 applications. Authorized administrators can search and access the logs through the Microsoft Purview compliance portal. This allows, if accounts are compromised, to determine the scope of access and conduct investigations into a compromise. Audit (standard) license holders are expected to have access to an additional 30 audit logs listed in Microsoft's post in the coming months.

Background: The Storm-0558 hack

The background is the hack of Exchange Online and Outlook accounts by the suspected Chinese hacker group Storm-0558 in May 2023 – I had reported in the blog post China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud. The hack was announced by Microsoft blog post Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email as of July 11, 2023. The hack was discovered by a customer (US State Department) after they noticed unusual access to accounts. An investigation was only possible because this customer had insisted on free deployment of Purview before deciding to use Exchange Online. Other customers had to pay for audit access to Purview log data.

After the incident, the U.S. cybersecurity agency CISA put pressure on Microsoft, so that Microsoft decided to provide audit access to the Purview log data – at least in basic variants – free of charge. I had reported on this decision in the blog post After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging. The entire disaster (basically the entire Microsoft cloud including all services and apps is considered compromised) including the Microsoft failures around the Storm-0558 hack can be read in the articles linked below.

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC

Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *