Imagine your organization experiences a breach, but the early warning signs are missing, hidden from view. This is exactly what can happen when critical logging data is incomplete. Between September 2nd and October 3rd, 2024, Microsoft faced an issue with their internal monitoring agents, resulting in missing logs for some services, which could leave organizations without vital insights into potential security threats.
What Happened with the Logging Issue from Microsoft
On September 2nd, 2024 around 23:00 UTC, Microsoft encountered a bug in its internal monitoring agents, causing some agents to malfunction and resulting in incomplete log data for certain services. This issue did not affect the uptime of customer-facing services—only event logging—and it was not related to any security breach.
The issue was detected on September 5th and by September 19th, a temporary workaround was implemented to improve log collection by restarting the agents or servers. However, this workaround may have caused occasional delays in log delivery for some customers.
Microsoft's engineering team is actively investigating the root cause and is working on a permanent fix that will be completed by the end of October 2024. According to Microsoft, customers affected by this issue were contacted through the Microsoft 365 Message Center and/or Azure Service Health.
How Missing Logs Affect Cybersecurity
In SaaS and cloud environments, missing logs can have a significant impact because organizations are entirely dependent on their cloud or SaaS providers for log data. Unlike on-premises systems where you have direct control, in the cloud you rely on your provider to deliver comprehensive logs. Without these logs, there is no way to trace incidents back to their root cause, which means missing key information and losing critical context. This lack of visibility makes it impossible to fully understand what happened, how it happened, or how to prevent it in the future. When logs are incomplete, organizations are effectively "flying blind" when trying to manage and respond to security incidents. Here is an example of insufficient logging coverage in Google Cloud Platform (GCP) we published in the past: Mitiga Security Advisory - Insufficient Forensic Visibility in GCP Storage.
Affected Microsoft Services
Microsoft announced the following services were affected by incomplete logs:
- Microsoft Entra: Potentially incomplete sign-in and activity logs. Issues began on September 5th and are expected to be fully resolved by October 3rd, 2024. Services like Azure Monitor, Microsoft Sentinel, Purview, and Defender were also affected.
- Azure Logic Apps: Gaps in platform logs between September 8th and 20th, 2024.
- Azure Healthcare APIs: Incomplete diagnostic logs for FHIR services between September 7th and 20th, 2024.
- Microsoft Sentinel: Gaps in security alerts from September 5th to October 3rd, 2024.
- Azure Monitor: Incomplete diagnostic logs from September 5th to October 3rd, 2024.
- Azure Trusted Signing: Missing signing logs between September 8th and 27th, 2024, leading to under-billing.
- Power Platform: Minor discrepancies in reports from September 9th to 19th, 2024.
- Azure Virtual Desktop: Incomplete logs in Application Insights between September 14th and 29th, 2024.
How Does This Affect My Security?
The incomplete logging announced by Microsoft may impact your ability to detect certain security threats. Missing log entries can result in missed opportunities to identify malicious activities such as:
- BEC Attacks: Compromised or malicious sign-ins related to Business Email Compromise (BEC) attacks may go unnoticed due to gaps in Microsoft Entra sign-in logs.
- MFA Fatigue Attacks: Repeated MFA requests used to wear down users may not be fully logged, making it harder to detect these types of attacks.
- Successful Brute Force Attempts: Logs of successful brute force attempts might be incomplete, meaning you could miss critical signs of unauthorized access.
- Persistence, and Privilege Escalation: Key activities that indicate an attacker is gaining or maintaining access could be missed if there are gaps in Entra ID activity logs.
- Azure Logic Apps Hijacks: Potential hijacks of Azure Logic Apps may not have been fully logged, impacting your ability to identify unauthorized workflows or automation being compromised.
3 Steps to Take Because of the Microsoft Issue
- Check if Your Organization is Affected: Review the Microsoft 365 Message Center (link) to see if your organization is impacted by missing logs. Don't assume that if Microsoft did not alert you, you are unaffected. Proactively check your SIEM or security data lake for any changes or gaps in log consumption during the affected period.
- Be Cautious with Users and Service Principals Activities: Since compromised identities may not have been recorded, it's essential to stay vigilant. Monitor for any unusual user activities or abnormalities involving Entra ID, and treat these as potential indicators of compromise, especially for the period affected by the logging issues.
- Consider the Impact on Other SaaS Products: If Entra ID is configured as an SSO for other SaaS products your organization uses, these applications may also be affected by potential compromises. Monitor activities in connected SaaS services for unusual behavior or signs of unauthorized access after the impacted period, as missing logs could prevent detection during that time.
The Role of Cloud Security Data Lakes in SaaS and Cloud Log Collection
While what happened with Microsoft may come as a surprise to some, Mitiga experts have known for years about the gaps invisibility because of insufficient log collection. The Mitiga platform includes our Cloud Security Data Lake that amasses, enriches, and analyzes logs across your SaaS and cloud estate, enabling teams to have data that is not only accessible, but actionable.
Unlike SIEM solutions, cloud security data lakes can store a wide range of data that allows for more effective and efficient searching. Additionally, organizations using a SIEM typically do not store log data past anywhere from 30 to 90 days due to cost and performance concerns.
Alternatively, cloud security data lakes are equipped to meet the needs of modern organizations, who may have a mix of on-prem, cloud, SaaS, and identity. Yet even though cloud security data lakes are a stronger choice for log collection that enables effective threat detection, investigation, and response, it is not as simple as having your SecOps team design one for the organization. They are challenging to build as they require a combination of expertise and significant resource investment (people, money, and time).
4 Benefits of Mitiga’s Cloud Security Data Lake
An effective data lake for cloud security includes (but is not limited to):
- The ability to store large volumes of data
- The capability to gather, retain, normalize, and analyze that data from various sources
- Years of retention rather than days or months
- ML, AI, and automation capabilities that speed the detection and investigation process
With Mitiga, all these criteria are satisfied and then some, leaving your team with:
- Complete Visibility: With 100+ cloud and SaaS data integrations, Mitiga provides the industry's broadest cloud visibility to power investigation.
- Affordability: Store up to three years of cloud and SaaS log history, with no limits on the amount of data you can collect.
- A Sense of Ease: No more checking each cloud log source individually to ensure consistent data collection.
- Assurance: Mitiga’s data engineers prepare, host and monitor log collection continuously, so your logs are always ready.
Additionally, Mitiga offers the industry’s only purpose-built Cloud Managed Detection and Response (MDR), so that resource-and expertise-strapped teams can connect their estate to Mitiga and let us do the rest for comprehensive detection, investigation, and response.
See the Power of Cost-Effective and Continuous Log Collection for Your Organization
While the recent Microsoft issue was not the result of a cyberattack, it should still not be taken lightly. The log data that is missing may contain essential information for organizations to be able to detect threats, investigate them, and respond effectively to threats across a sprawling cloud estate.
A gap in visibility is a cost that many of us would agree is not one teams are willing to pay, and cloud security data lakes can help ensure effective, continuous, detailed log collection remains a priority.