Microsoft has notified customers that security logs for some of its cloud products have been missing for more than two weeks, leaving network defenders without critical data to detect potential intrusions.
According to a notice sent to affected customers, Microsoft announced that between September 2 and September 19, “there was a bug in one of Microsoft's internal monitoring agents that caused it to upload log data to an internal logging platform. At that time, some agents malfunctioned.”
The notice states that the logging outage was not caused by a security incident and “only affected the collection of log events.”
Business Insider first reported the loss of log data in early October. Details of the notification have not been widely reported. As security researcher Kevin Beaumont pointed out, the notifications Microsoft sends to affected companies may only be accessible by a small number of users with tenant administrator privileges.
Logs help track events within the product, such as information about user sign-ins and failed attempts, and can help network defenders identify suspected intrusions. Missing logs can make it more difficult to identify unauthorized access to the customer's network during that two-week period.
According to a Business Insider report, affected products include Microsoft Entra, Sentinel, Defender for Cloud, and Purview. Affected customers “may experience potential gaps in security-related logs and events that may impact their ability to analyze data, detect threats, or generate security alerts,” the notice states. There is.
Microsoft did not respond to specific questions about the logging suspension, but a Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within an internal monitoring agent.”
“We have mitigated the issue by rolling back the service changes. We are contacting all affected customers and will provide support as needed,” said John Sheehan, Microsoft corporate vice president. Masu.
The logging suspension comes as Microsoft comes under fire from federal investigators for withholding security logs from some U.S. federal government departments that host email on the company's hardened government cloud. This happened a year later. A series of Chinese-backed incursions occurred much earlier.
A Chinese-backed intruder called Storm-0558 broke into Microsoft's network and stole a digital skeleton key that gave hackers unfettered access to U.S. government emails stored in Microsoft's cloud. A government-issued post-mortem analysis of the cyberattack said the State Department identified the intrusion because it paid for an advanced Microsoft license that allows access to the security logs of its cloud products, and that many others were hacked. No U.S. government agency had obtained this license. I have it.
In response to the Chinese-backed hack, Microsoft has announced that it will start providing logs to low-cost cloud accounts starting in September 2023.
Carly Page contributed reporting.