Microsoft recently informed its customers about a significant data loss incident involving the storage of security logs for its cloud products. This loss occurred over a two-week period in September, potentially creating a blind spot for network defenders trying to detect intrusions.
The problem stemmed from a bug in one of Microsoft’s internal monitoring agents, which caused issues with uploading log data to the company’s internal logging platform. The outage only affected the collection of log events and was not the result of a security breach.
Affected products included Microsoft Entra, Sentinel, Defender for Cloud, and Purview. Customers may have experienced gaps in security-related logs or events, impacting their ability to analyze data, detect threats, and generate security alerts during the affected period.
While Microsoft did not provide specific details about the incident, a company executive confirmed that it was caused by an operational bug within the internal monitoring agent. Microsoft has since rolled back a service change to mitigate the issue and is offering support to impacted customers.
This logging outage comes on the heels of a previous security incident involving federal investigators accusing Microsoft of withholding security logs from certain U.S. government departments. These logs could have helped identify a series of China-backed intrusions much sooner.
In response to the previous incident, Microsoft pledged to provide logs to lower-tier cloud accounts starting in September 2023. This move aims to improve transparency and security for all customers using Microsoft’s cloud services.
