Erik Remmelzwaal– 22 jun 2023
Many organizations can only look back 7 days in their Microsoft365 logs. Far too little to adequately respond to incidents such as CEO Fraud and Ransomware. It is therefore important to understand the possibilities for extending that term.
Logging against CEO Fraud
The threat of CEO fraud is the order of the day. Hackers impersonate a, usually high-ranking, official in an organization to deceive another, usually to make a payment. If done properly, it may take some time for the hack to be noticed. And at that point, we’d like to look back through the log of email and the IT system to understand how it happened. And whether the hacker still has access.
Looking back, we need logs for that. If your organization uses Microsoft365, the audit and sign-in logs are very relevant. These tell when, how and from where someone logged into a particular account. These logs are available in the Azure Active Directory component, or Azure AD. This is the part of the Microsoft service in which the user accounts of your colleagues are managed, ie login names and passwords, and a log is also kept of their login attempts and actions.
Standard: 7 days
Organizations that only use Microsoft365 as an email service (and maybe a bit of teams and onedrive), usually have a cheap/limited license. For example, Business Basic or Exchange Online. Associated with those license types in the basic form of Azure AD: Azure AD Free. In this form, all sign-in and audit logs are only kept for 7 days.
7 days is really short. It will often happen that an incident is not discovered within that time and/or has started earlier. Questions like “how did this happen?” or “Has the hacker performed any other malicious actions?” can hardly be answered. And certainly with stricter requirements with regard to incident reporting by NIS2, it is wise to increase that retention.
Azure AD P1 or P2: 30 days
To retain logs for 30 days, an extension of the Azure AD license to P1 or P2 is required. This can be done by purchasing this specific component, or by purchasing a more extensive license package that already includes it.
A Business Premium or E3 license includes Azure AD P1 and a host of other useful functionality.
Azure AD P2 goes a step further, storing risky sign-ins logs for 90 days. These are cases where Microsoft itself has already determined that the login attempt is potentially suspicious.
See more information about the here differences between Free, P1 and P2 licenses.
Sentinel: 90 days
Those who want to be able to look back even longer will have to save the generated logs in a separate log storage. Microsoft also offers a solution for this in the form of their storage subscriptions. And Microsoft Sentinel is a very valuable tool to be able to search the logs properly or to raise the real-time alarm in the event of suspicious activity. This is Microsoft’s SIEM product, which is also specifically intended to collect and search logs. It is part of every Microsoft license, but it is not enabled by default.
The data sent to Microsoft Sentinel can be stored for 90 days at no cost in some cases. But you have to configure it that way. If you want to keep longer, or keep log sources that fall outside the scope of the free scheme, costs will be charged. To estimate how this will work out in your own situation, it is possible to create a Trial subscription, which allows you to test for free for 3 months and see how much data your environment consumes.
Read more here Sentinel en gratis Data Sources.
We advise all organizations to take the step to Azure AD P1. This is definitely worth the cost. If you want to do even more with the logs and test with Sentinel, please contact us. We’re happy to help.
Or make it easy for yourself, and choose Attic Security!