Microsoft is extending Purview Audit log retention as promised after the Chinese Storm-0558 hacking group breached dozens of Exchange and Microsoft 365 corporate and government accounts in July.
The changes to audit logging retention announced today will roll out to Microsoft Purview Audit customers with Standard licenses in the coming weeks, starting with enterprise tenants this month and government customers in November.
“Starting in October 2023, we began rolling out changes to extend default retention to 180 days from 90 for audit logs generated by Audit customers. Audit license holders will continue with a default of one year, and the option to extend up to 10 years,” said Microsoft Purview CVP Rudra Mitra.
Under pressure from the Cybersecurity and Infrastructure Security Agency, Microsoft has also agreed to broaden access to cloud logging data at no cost, which would help network defenders identify similar breach attempts in the future.
Starting December 2023, Microsoft customers with Purview Audit licenses will also have to access additional logs of email access and 30 other Yammer/Viva Engage, Teams, Exchange, and Sharepoint events previously only available to customers with Premium licenses.
“Microsoft has worked closely with CISA to identify these critical logs and include them in our Microsoft Purview Audit license,” Mitra said.