Microsoft warns it lost some customers’ security logs for a month

Microsoft is warning enterprise customers that for nearly a month, a bug caused a partial loss of critical logs, putting at risk companies that rely on this data to detect unauthorized activity.

The issue was first reported by Business Insider earlier this month, which reported that Microsoft began notifying customers that their log data was not collected consistently between September 2 and September 19.

Lost logs include security data commonly used to monitor suspicious traffic, behavior, and login attempts on a network, increasing the chances that attacks will go undetected.

A preliminary post-incident review (PIR) sent to customers and shared by Microsoft MVP Joao Ferreira sheds more light on the issue, saying logging issues were worse for some services and continued through October 3.

Microsoft’s review indicates that the following services were affected, each with varying degrees of log disruption:

• Microsoft entry: Potentially incomplete connection logs and activity logs. Entra logs flowing through Azure Monitor to Microsoft security products, including Microsoft Sentinel, Microsoft Purview, and Microsoft Defender for Cloud, were also affected.
• Azure Logic Apps: We experienced intermittent gaps in telemetry data in Logic Apps Log Analytics settings, resource logs, and diagnostic settings.
• Azure Healthcare API: Partially incomplete diagnostic logs.
• Microsoft Sentinel: Potential gaps in security-related logs or events, affecting customers’ ability to analyze data, detect threats, or generate security alerts.
• Azure Monitor: Observed gaps or reduced results when running queries based on log data from affected services. In scenarios where customers configured alerts based on this log data, the alerts may have been affected.
• Azure trusted signature: Partially incomplete SignTransaction and SignHistory logs, resulting in reduced signature log volume and underbilling.
• Azure Virtual Desktop: Partially incomplete in Application Insights. AVD connectivity and core functionality have not been affected.
• Electric platform: You are experiencing minor discrepancies affecting data in various reports, including Analytics reports in the Admin and Maker portal, Licensing reports, data exports to Data Lake, Application Insights, and activity logging.

Microsoft says the logging failure was caused by a bug introduced while fixing another issue in the company’s log collection service.

Microsoft claims that although they fixed the bug following secure deployment practices, they failed to identify the new issue and it took a few days to detect it.

In a statement to TechCrunch, Microsoft Vice President John Sheehan said the bug is now fixed and all customers have been notified.

However, cybersecurity expert Kevin Beaumont says he knows of at least two companies that have missing log data and haven’t received notifications.

This incident came a year after Microsoft was criticized by CISA and lawmakers for failing to provide adequate log data to detect breaches for free, instead demanding that customers pay for it.

In July 2023, Chinese hackers stole a Microsoft signing key that allowed them to hack corporate and government Microsoft Exchange and Microsoft 365 accounts and steal emails.

Although Microsoft has still not determined how the key was stolen, the US government first detected the attacks using Microsoft’s advanced logging data.

However, these advanced logging features were only available to Microsoft customers who paid for Microsoft’s Purview Audit (Premium) logging feature.

For this reason, Microsoft has been widely criticized for not providing this additional logging data for free so that organizations can quickly detect advanced attacks.

In collaboration with CISA, the Office of Management and Budget (OMB), and the Office of the National Cyber ​​Director (ONCD), Microsoft expanded its free logging capabilities for all standard Purview Audit customers in February 2024.