Microsoft has lost several weeks of cloud security logs that its customers rely on to detect cyber breaches.
What happened
As Business Insider reported earlier this month, Microsoft notified particularly affected customers of this incident and told them that the failure “is not related to any security breach.”
An initial post-accident review has since been published, and says the cause was a bug in the internal monitoring agent that was triggered and then a bug fix was rolled out to the log collection service.
“Beginning around 23:00 UTC on 2 September 2024, an error in one of Microsoft's internal monitoring agents resulted in some agents malfunctioning when uploading log data to our internal logging platform,” the company said. Partial history of affected Microsoft services.
Two weeks after the issue was discovered on September 5, the company's engineering teams provided a temporary and partially effective solution to the problem, which consisted of periodically restarting the agent or server to restart the log collection process.
However, some history data has been lost and cannot be recovered.
What services are affected?
The incident was resumed in potentially incomplete records for the following services:
Azure Logic Apps (Platform Logs) Azure Healthcare APIs (Platform Logs) Microsoft Sentinel (Security Alerts) Azure Monitor (Diagnostic settings directed to Azure Monitor) Azure Trusted Signing (incomplete SignTransaction and SignHistory logs) Azure Virtual Desktop ( Logs in Application Insights) Power Platform (data inconsistencies across reports), and Microsoft Entra (login logs, activity logs).
“Entra logs flowing through Azure Monitor to Microsoft Security products, including Microsoft Sentinel, Microsoft Purview, and Microsoft Defender for Cloud, were also affected,” the company said. This could potentially impact tenants' ability to analyze data, detect threats, or create security alerts.
The importance of records
Logging – and having complete logs – is essential for security products to work as they should, and for enterprise defenders and incident responders to do their jobs.
After Chinese hackers gained access to email accounts belonging to US organizations and government agencies last year, Microsoft was criticized for not providing specific cloud recording capabilities to customers who did not have premium Microsoft Purview Audit accounts.
Access to these logs would likely have led to the intrusion being detected earlier than it occurred. The incident prompted Microsoft to make logs available to all agencies using Microsoft Purview Audit (regardless of license level) and increase the default log retention period from 90 days to 180 days.
