Microsoft Corp. has resolved a software bug that caused the company to lose some security logs for several weeks in September.
In a statement to TechCrunch, the Redmond giant confirmed that it has mitigated the bug issue by rolling back a service change and is notifying all its impacted customers.
“We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed,” said John Sheehan, a Microsoft corporate Vice President, in a statement to TechCrunch.
According to a Microsoft executive, the issue was caused by an operational bug within the company’s internal monitoring agent, which prevented them from uploading log data to the company’s internal logging platform.
For those unaware, this issue was first reported by Business Insider earlier this month. The article stated that Microsoft was apparently notifying its customers that it had failed to consistently collect log data for several key security products for almost a month, which could affect customers’ ability to detect threats and generate security alerts.
Between September 2 and September 19, “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform,” Microsoft wrote in the notification sent to its affected customers.
Logs are important records of events within a system, such as login attempts on a network, object access, and file deletion.
They can help network defenders identify suspected intrusions. However, it is difficult to identify and track issues without proper log recording, which could lead to missed potential intrusion instances.
“This issue did not impact the uptime of any customer-facing services or resources — it only affected the collection of log events. Additionally, this issue is not related to any security compromise,” the notification explained.
The affected products include Microsoft Entra, an identity-management service; Microsoft Sentinel, a security information and event-management product; Microsoft Defender for Cloud and Microsoft Purview, a data loss prevention product.
“Microsoft Sentinel customers may have experienced potential gaps in security related logs or events, possibly affecting customers’ ability to analyze data, detect threats, or generate security alerts,” the notification warned.
For further information, you can check out the Preliminary Post Incident Review (PIR) that was sent to the affected customers.
According to Microsoft, the logging failure was caused by a bug accidentally introduced while addressing a separate issue in the company’s log collection service.
The company explained that although they followed safe deployment practices when fixing the bug, they could not detect the new issue immediately.
As a result, it took them a few days to identify the problem.