Microsoft warns it lost some customer’s security logs for a month

Microsoft is warning enterprise customers that, for almost a month, a bug caused critical logs to be partially lost, putting at risk companies that rely on this data to detect unauthorized activity.

The issue was first reported by Business Insider earlier this month, who reported that Microsoft had began notifying customers that their logging data had not been consistently collected between September 2nd and September 19th.

The lost logs include security data commonly used to monitor for suspicious traffic, behavior, and login attempts on a network, increasing the chances for attacks to go undetected.

A Preliminary Post Incident Review (PIR) sent to customers and shared by Microsoft MVP Joao Ferreira sheds further light on the issue, saying that logging issues were worse for some services, continuing until October 3rd.

Microsoft’s review says that the following services were impacted, each with varying degrees of log disruption:

• Microsoft Entra: Potentially incomplete sign-in logs, and activity logs. Entra logs flowing via Azure Monitor into Microsoft Security products, including Microsoft Sentinel, Microsoft Purview, and Microsoft Defender for Cloud, were also impacted. 
• Azure Logic Apps: Experienced intermittent gaps in telemetry data in Log Analytics, Resource Logs, and Diagnostic settings from Logic Apps.   
• Azure Healthcare APIs: Partially incomplete diagnostic logs.
• Microsoft Sentinel: Potential gaps in security related logs or events, affecting customers’ ability to analyze data, detect threats, or generate security alerts.  
• Azure Monitor: Observed gaps or reduced results when running queries based on log data from impacted services. In scenarios where customers configured alerts based on this log data, alerting might have been impacted.
• Azure Trusted Signing: Experienced partially incomplete SignTransaction and SignHistory logs, leading to reduced signing log volume and under-billing.
• Azure Virtual Desktop: Partially incomplete in Application Insights. The main connectivity and functionality of AVD was unimpacted. 
• Power Platform: Experience minor discrepancies affecting data across various reports, including Analytics reports in the Admin and Maker portal, Licensing reports, Data Exports to Data Lake, Application Insights, and Activity Logging.

Microsoft says the logging failure was caused by a bug introduced when fixing a different issue in the company’s log collection service.