Expanded Microsoft security logs credited with enhanced threat visibility by CISA officials
The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, National Security Agency, and a coalition of foreign cybersecurity authorities led by Australia, released a comprehensive guide on event logging best practices last week. The guide aims to help organizations strengthen their ability to identify and mitigate malicious activities, particularly those from sophisticated state-linked threat groups such as Volt Typhoon.
The new guide emphasizes the importance of implementing comprehensive and systematic logging to effectively detect exploitation and anomalous activities. Key recommendations include:
- Implementing comprehensive logging across systems and applications to capture relevant events that can help identify exploitation activity and malicious behavior in near real-time.
- Auditing and monitoring Remote Desktop Protocol (RDP) login attempts and network access closely. Ensure unused RDP ports are closed, and apply multi-factor authentication (MFA) to all accounts, with priority on phishing-resistant MFA such as FIDO/WebAuthn or PKI-based MFA.
- Keeping audit and system logs secure and protected to prevent tampering, and leveraging centralized logging solutions integrated into Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms for improved detection and incident response.
- Maintaining offline backups and recovery plans, and regularly testing restoration capabilities to complement logging efforts and reduce operational impact during attacks.
- Adhering to established standards such as NIST guidelines on password policy management and account security to complement event logging effectiveness.
The guide underscores that logging should be comprehensive, secure, and continuously monitored, integrated with proactive threat detection and response controls, and combined with robust access control measures including least privilege and MFA. This approach supports timely identification of malicious activity and helps mitigate risks in national security and critical infrastructure environments.
In a separate development, security researchers at Reliaquest have been tracking a ransomware actor known as Medusa, which has also used living-off-the-land techniques in multiple attacks. Meanwhile, Microsoft has been making strides in prioritizing security in its software development and customer interactions.
In 2023, Microsoft expanded free access to security logs, a move that has benefited U.S. government agencies and critical infrastructure providers. However, the company faced criticism from the Cyber Safety Review Board following an attack deemed preventable. Microsoft has since begun overhauling its internal security culture through the Secure Future Initiative this year.
Alex Capraro, a cyber intelligence analyst at Reliaquest, stated that by implementing the best practices for event logging and threat detection outlined in the guide, organizations can protect their networks, devices, and data from compromise. The expanded logs are being used by organizations today to detect threats.
[1] CISA, FBI, NSA, and Allied Cybersecurity Authorities Release Event Logging Best Practices Guide, [Link to the guide] [2] Microsoft Expands Free Access to Security Logs, [Link to the Microsoft announcement] [3] Cyber Safety Review Board Report Blasts Microsoft for 2023 Attack, [Link to the report] [4] Microsoft Overhauls Internal Security Culture through Secure Future Initiative, [Link to the Microsoft initiative announcement]
Read also:
- Industries Under Jeopardy Due to Multi-Accounting: Prevention Strategies Revealed in 2024
- Latest Tech Highlights: Top Gadgets of March 2025
- MSI's COMPUTEX 2025 Exhibition Highlights: Titanium Graphics Processing Units, Artificial Intelligence Assistant, and 500Hz Gaming Monitors Steal the Hardware Spotlight
- Asparagus: Examination of its nutritional value, advantages, and potential hazards
