The US National Security Agency used to be one of the biggest secrets in the US. Almost everything about it except its name was classified for decades, but gradually, as it emerged from the shadows, one of the key things the public learned was that it had two missions: protect US communications and spy on everyone else’s. (Before you email me: yes, that’s an oversimplified summary that leaves out a lot of the details!) As more and more of the world’s economy, military, civil, and social lives have come to depend on electronic communications systems, other agencies have emerged with specific assignments. One such is the US Cybersecurity and Infrastructure Security Agency (CISA), whose mission is to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” As part of that mission, they occasionally release prescriptive guidance on various cybersecurity topics, and in early 2025 they released a whopper: the “Microsoft Expanded Cloud Logs Implementation Playbook.” Let’s dig in to see what the experts are telling us.
Jigsaw Puzzles and Logging
You’ve probably done a jigsaw puzzle before. There are several steps before you can admire your finished puzzle, though. First, you have to have a puzzle. Then you need a space to assemble it, and only then can you start the process of piecing it together. In the same vein, there are a few prerequisites that the CISA playbook covers.
The first playbook recommendation is that you assign the appropriate roles (which they clearly document) so that your auditors are able to view Defender, Purview, and Exchange Online PowerShell logs. Of course, there are many other juicy and interesting events in the audit log, but CISA is focusing on the most obvious areas. The fact that CISA documents what permissions the auditors need, and why, is a time-saver when it comes time to explain why those specific permissions need to be granted.
Second, CISA suggests (and provides a how-to guide for) verifying that you have the correct types and levels of auditing actually enabled. This process is made needlessly confusing by Microsoft’s naming standards. There are two similar products:
- “Microsoft Purview Audit (Standard)” is what most organizations have. It’s enabled by default.
- “Microsoft Purview Audit (Advanced)” is what CISA (and I) recommend. It requires that you have Office 365 E5 or Microsoft 365 E5 licenses or that you’ve bought the E5 Compliance add-on, and it is not enabled by default.
That last point bears amplification. If you want a user’s activity to be auditable, you must enable the “Microsoft 365 Advanced Auditing” feature for that user. CISA recommends explicitly checking the state of this feature to ensure that you have the correct users covered; one common tactic used by attackers is to just turn off auditing on their targets.
Getting and Verifying the Audit Data You Need
Next, the playbook walks through the steps required to make sure that the key audit log items for Exchange mailboxes are enabled, including showing you how to verify auditing for the owner and delegate access. It doesn’t tell you how to do this for the SharePoint counterparts, or for their equivalent in Teams, which is unfortunate. They provide simple examples of how to use Purview and Exchange PowerShell to verify that log data is being collected.
Knowing What to Look for
To me, the area where you’ll get the most value from this playbook is section 2.3, “Overview of the logs.” This provides a detailed review of the “logs with significant forensic relevance”—that is, it tells you what each log entry type can tell you about a potential attack. There’s lots of detail here and you should read it thoroughly to make sure that you understand it.
The next section, “Scenario-based analysis,” builds on your increased understanding of what’s in the logs by showing three specific examples of things you can investigate: credential theft, data exfiltration, and impact investigation. Each of the examples includes a definition of threat actor behavior, an advanced hunting query you can use to look for relevant signs, and some discussion of how the two are related. Reading this section put me in mind of watching old Western movies where a grizzled old scout was always able to identify where the bad guys were going (or had been) using his esoteric wilderness and tracking knowledge. In much the same way, analyzing the audit logs to see what an attacker did, and where they went, can give you some insights (but not necessarily proof) about the attacker’s goal in performing those specific actions. For example, if you see UserSearchQueryInitiatedExchange events you get some valuable information about what the attacker was looking for, which in turn tells you something about what they want.
Your Best Path Forward
Here’s where my carefully-assembled puzzle analogy breaks down (see what I did there?) This playbook, as with any other, is best understood as a template that you can apply to get up to an adequate baseline of auditing. You will, and should, plan on customizing it. In particular, the canned queries they provide are great for the specific scenarios they outline; even if they aren’t applicable to you, you can use them as a basis for developing your own more individualized queries. Even if you’re not ready to move fully into using the full suite of Purview auditing features, understanding how to use them now will help you later.
