Microsoft has notified its customers that it wasn’t consistently storing security logs for its cloud products during a two-week window in September, leaving network defenders with a potential blind spot for detecting possible intrusions.
According to a notification sent to affected customers, Microsoft said that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.”
The notification said that the logging outage was not caused by a security incident, and “only affected the collection of log events.”
Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As noted by security researcher Kevin Beaumont, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights.
Logging helps to keep track of events within a product, such as information about users signing in and failed attempts, which can help network defenders identify suspected intrusions. Missing logs could make it more difficult to identify unauthorized access to the customers’ networks during that two-week window.
The affected products include Microsoft Entra, Sentinel, Defender for Cloud, and Purview, according to the Business Insider report. Affected customers “may have experienced potential gaps in security related logs or events, possibly affecting customers’ ability to analyze data, detect threats, or generate security alerts,” the notification said.
Microsoft would not answer specific questions about the logging outage, but a Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”
“We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed,” said John Sheehan, a Microsoft corporate vice president.
The logging outage comes a year after Microsoft came under fire from federal investigators for withholding security logs from certain U.S. federal government departments that host their emails on the company’s hardened, government-only cloud, which investigators said having access to those logs could have identified a series of China-backed intrusions far sooner.
The China-backed intruders, referred to as Storm-0558, broke into Microsoft’s network and stole a digital skeleton key that allowed the hackers unfettered access to U.S. government emails stored in Microsoft’s cloud. According to a government-issued post-mortem of the cyberattack, the State Department identified the intrusions because the it paid for a higher-tier Microsoft license that granted access to security logs for its cloud products, which many other hacked U.S. government agencies did not have.
Following the China-backed hacks, Microsoft said it would start providing logs to its lower-paid cloud accounts from September 2023.
Carly Page contributed reporting.
