Microsoft has informed its customers that over two weeks of security logs are missing for several of its cloud products, potentially hindering efforts to detect intrusions.
The issue, which occurred between September 2 and September 19, stemmed from a bug in Microsoft’s internal monitoring agents, as detailed in a notification sent to affected customers. This bug caused some agents to malfunction when transferring log data to Microsoft’s internal logging platform. According to the notification, the problem was not triggered by a security breach but only impacted the collection of log events.
.jpg "Microsoft")
First reported by Business Insider, the loss of log data has not been widely discussed. Security expert Kevin Beaumont highlighted that the notifications Microsoft issued are likely accessible only to a limited number of users with tenant admin privileges.
Event logs are crucial for tracking activity within systems, such as user sign-ins and failed login attempts, helping organizations identify potential security threats. Missing logs during this two-week period could make it more challenging to detect unauthorized access to affected networks.
Products impacted by the issue include Microsoft Entra, Sentinel, Defender for Cloud, and Purview. Customers affected by the outage “may have experienced gaps in security-related logs or events,” which could interfere with their ability to analyze data, identify threats, or generate security alerts, as stated in Microsoft’s notification.
When questioned, Microsoft declined to provide specific details about the outage. However, John Sheehan, a Microsoft corporate vice president, acknowledged that the problem was due to an operational bug in their internal monitoring agent.
“We resolved the issue by rolling back a service change and have communicated with all impacted customers to offer support as needed,” Sheehan stated.
This incident follows criticism Microsoft faced last year after federal investigators discovered the company had restricted access to critical security logs for certain U.S. government departments. These logs could have helped identify a China-backed cyberattack involving Storm-0558 hackers who exploited Microsoft’s systems to gain access to U.S. government emails stored in its cloud.
In that case, the State Department was able to uncover the intrusions because it had purchased a higher-tier Microsoft license granting access to enhanced logging features, which many other compromised government agencies lacked.
Post a Comment