Microsoft has informed its customers it is missing over two weeks of security logs for some of its cloud products, leaving network defenders without crucial data to detect possible intrusions.
Microsoft explained that "a bug in one of Microsoft's internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform" between September 2 and September 19, according to a notification it issued to affected customers.
The logging outage was not the result of a security incident, and "only affected the collection of log events", according to the notification.
Business Insider was the first to report the loss of log data in early October. There is little reporting so far on the specifics of the notice. Noting this, security researcher Kevin Beaumont said that the notices that Microsoft will be sending to the affected companies will likely only be accessible to a few users who have tenant admin rights.
Logging allows an analyst to trace events which are happening on a product - for example, information on who signed in, failed attempts, and all that might help network defenders to spot suspected intrusions. Without the availability of these logs would make it difficult to ascertain any unauthorized access to customers' networks over this two-week period.
The products impacted are Entra, Sentinel, Defender for Cloud, and Purview, the report emerged in Business Insider. Customers affected may have "experienced potential gaps in related security logs or events, which could have impacted customers' ability to analyze data, detect threats, or generate security alerts," it said according to the notification of the data breach.
The company would not release any details on the questions about the logging outage, but a Microsoft executive confirmed to TechCrunch that the incident resulted from an "operational bug within our internal monitoring agent."
"We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed," said John Sheehan, a Microsoft corporate vice president.
That logging outage comes a year after Microsoft came under fire from federal investigators for withholding security logs from certain U.S. federal government departments that host their emails on the company's hardened, government-only cloud; investigators said having access to those logs could have identified a series of China-backed intrusions far sooner.
The China-backed intruders, called Storm-0558, breached Microsoft's system and took a digital skeleton key that allowed the hackers unfettered access to U.S. government emails stored in Microsoft's cloud. A government-issued postmortem of the cyberattack reported that the State Department detected the intrusions because it paid for a higher-tier license from Microsoft that carried access to security logs for its cloud products - something many other hacked U.S. government agencies did not.
After the hacks allegedly sponsored by China, Microsoft announced it would start sharing logs with its lower-paid cloud accounts from September 2023.