Microsoft Expanded Cloud Logs Implementation Playbook

This playbook provides a detailed overview of the newly introduced logging capabilities in Microsoft Purview Audit (Standard). These capabilities enable organizations to conduct forensic and compliance investigations by accessing critical events, such as 

• Mail items accessed, 
• Mail items sent, and 
• User searches in SharePoint Online and Exchange Online. 

These capabilities also allow organizations to monitor and analyze thousands of user and admin operations performed in dozens of Microsoft services and solutions. In addition, these capabilities include administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems. 

The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs and make them an actionable part of enterprise cybersecurity operations. The playbook also covers, in detail, analytical methodologies tied to using these logs to detect advanced threat actor behavior.

Audience

The playbook is written for use by technical personnel responsible for log collection, aggregation, correlation, and incident-response orchestration at government agencies and enterprises with Microsoft E3/G3-and-above licensing. This release includes clients in all Microsoft identity boundaries. Previously, these logs were only available to Audit Premium subscription customers and were released first to Department of Defense and federal agencies to protect U.S. national security interests.

To provide feedback on the playbook or to request additional information, please contact CISA’s Federal Enterprise Improvement Team (FEIT) at CISA-FEIT@cisa.dhs.gov.