News

Microsoft Purview Audit Standard Perks May Not Arrive Until 2024

Some of the new capabilities coming to Standard subscribers are slated to arrive next year.

• By Kurt Mackie
• 10/24/2023

Microsoft offered a few more details about its plans to expand audit logging and data retention periods for Microsoft Purview Audit Standard users.

The updated plans were described in an Oct. 18 security blog post by Rudra Mitra, corporate vice president for Microsoft data security and compliance. In essence, Microsoft is planning to deliver the following free perks to Microsoft Purview Audit Standard users:

• Expand the default audit logs retention period to 180 days (up from 90 days), and
• Provide access to an additional 30 audit logs.

Mitra said that the expanded audit logs retention period for Audit Standard users began rolling out in "October 2023." It's a gradual rollout that will arrive first to Microsoft's worldwide enterprise customers, followed by its government customers.

The additional 30 audit logs for Microsoft Purview Audit Standard users will be arriving "over the next several months." Mitra pointed readers to Microsoft's roadmap to learn more. However, some of the coming audit log items listed on that roadmap won't be available until mid-to-late 2024.

This rather slow delivery was noted by security solutions architect Nathan McNulty in an Oct. 19 exTwitter post:

Well, the good news is standard audit logs will now be retained for 180 days (previously 90 for standard, 365 for premium). The bad news is it won't include MailItemsAccessed, Send, or SearchQueryInitiated* events until September 2024...

Microsoft had initially floated plans to extend the log storage period in the Standard edition of Microsoft Purview Audit from 90 days to 180 days, as well as boost the number of log types monitored, back in a July announcement. These expansions are being added at no extra cost for Standard subscribers. Microsoft made the decision to boost the Standard capabilities following discussions with customers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), according to Mitra.

CISA, back in July, had praised Microsoft's decision to expand the logging period, which is helpful for investigating attacker methods. However, Mitra stressed in his post that "it is important to emphasize that log data, while an invaluable resource, is not a preventive measure against cyberattacks."

It's perhaps likely that CISA may have wanted an even longer log period than 180 days from Microsoft for Standard users, since CISA's recommendations to government agencies is to have one year of log storage available. Microsoft does offer one year of log storage, but it is just available as part of its higher priced Microsoft Purview Audit Premium product.

It's speculated that CISA wanted the log extensions because of data exfiltration attacks on government agencies that started in May involving Microsoft Outlook. Microsoft attributed those data exfiltration attacks to a China-affiliated group called "Storm-0558." CISA more generally, though, has been advocating for security as a standard feature in all technology products, which should not be offered at premium pricing, per recent public CISA announcements.