Microsoft Expanded Cloud Logs: What They Reveal and How to Retrieve Them

Last year, Microsoft completed the rollout of expanded Microsoft Cloud logging, introducing four critical log types that provide deeper visibility into security events across Microsoft 365. These logs significantly enhance the ability to track email activity and identify reconnaissance attempts within Exchange and SharePoint, marking a major step forward in forensic investigations and threat detection capabilities.

As part of a recent initiative to enhance cloud security visibility, Microsoft and CISA jointly released the Microsoft Expanded Cloud Logs Implementation Playbook. This playbook serves as a crucial guide, outlining how security teams can enable, collect, and analyze these logs effectively. As someone who's spent a considerable amount of time working with Microsoft 365 logs, I can tell you this is a significant leap forward in Microsoft cloud security visibility.

Beyond the new log types, one of the most immediate benefits of these changes is Microsoft doubling the default log retention period from 90 to 180 days for Audit Standard customers. This isn't just a numbers game, it’s a crucial expansion of investigation capabilities, especially for teams working with limited resources.

The Four Game-Changing Log Types

1. MailItemsAccessed

This is the log type I've been waiting for. It provides unprecedented visibility into email access patterns, helping us spot unauthorized mailbox access early. The logs track granular access to individual messages, giving us clear evidence of which emails were viewed or synced to a client.

2. Mail "Send" Logs

The new Send logs provide robust tracking of all email sending operations, including crucial metadata that was previously difficult to obtain. These logs help investigators determine when an email was sent, who sent it, and what device or application was used. Additionally, they provide insight into potential compromise scenarios, such as emails sent via command-line tools, non-GUI interfaces, or API-based access..

3. SearchQueryInitiatedExchange

The SearchQueryInitiatedExchange logs are a valuable for detecting reconnaissance activity in compromised mailboxes. These logs capture the actual search terms entered into Outlook’s search bar, allowing investigators to determine what information a threat actor was trying to find. These logs provide a powerful tool for understanding an attackers intent.

4. SearchQueryInitiatedSharePoint

The SearchQueryInitiatedSharePoint logs complete the picture by providing visibility into document-level reconnaissance. This has been particularly important as more organizations store sensitive documents in SharePoint and OneDrive.

These logs capture the exact search terms entered into SharePoint, along with metadata such as the type of SharePoint site being searched (e.g., Home sites, Communication sites, Hub sites, and Microsoft Teams-associated sites). This level of visibility allows investigators to determine if a threat actor is targeting specific files, projects, or departments.

Why These Logs Matter

With the introduction of new log types and extended retention periods, security teams now have greater visibility into critical security events. These enhancements enable deeper forensic analysis and provide more actionable data, improving both threat detection and investigative workflows.

Key advantages of leveraging these logs include:

• Earlier detection of unauthorized access through detailed search activity tracking
• Improved correlation of user actions across Microsoft 365 services
• Better identification of unauthorized email access and suspicious outbound messages
• Enhanced detection of reconnaissance efforts in SharePoint and Exchange

Getting Started

If you're ready to start leveraging these new capabilities, here's what I recommend:

1. Review the Microsoft Expanded Cloud Logs Implementation Playbook
2. Enable these new logs within your Microsoft Cloud environment
3. Update to Hawk 4.0 to access the new cmdlets
4. Ingest these logs into your SIEM of choice