Now Reading: Why Zero Trust is a Lie Without Them
-
01
Why Zero Trust is a Lie Without Them
1
00:00:00,000 –> 00:00:02,560
It started with a warning, then silence.
2
00:00:02,560 –> 00:00:07,080
A single account pulled down 12,000 files from SharePoint in under 20 minutes.
3
00:00:07,080 –> 00:00:10,720
No malware, no DLP alert, no blocked session.
4
00:00:10,720 –> 00:00:14,080
The Zero Trust controls all said “allowed”.
5
00:00:14,080 –> 00:00:18,240
Here’s the problem. Zero Trust without audit evidence is policy theater.
6
00:00:18,240 –> 00:00:21,240
Verification isn’t a checkbox. It’s a trail.
7
00:00:21,240 –> 00:00:26,960
Today, we’ll trace four log sources that turn suspicion into proof and prevention.
8
00:00:26,960 –> 00:00:31,040
We’ll pull Entra sign-in-risk, the unified audit log, purview policy edits,
9
00:00:31,040 –> 00:00:33,680
and co-pilot interactions into one timeline.
10
00:00:33,680 –> 00:00:36,800
There’s one log pivot that exposes data staging every time.
11
00:00:36,800 –> 00:00:40,040
We’ll get to it. First, verify the verifier.
12
00:00:40,040 –> 00:00:44,120
Entra ID sign-in and risk verify the verifier.
13
00:00:44,120 –> 00:00:46,560
Every breach begins with an identity.
14
00:00:46,560 –> 00:00:51,720
The controls look solid. Conditional access, MFA, compliant devices.
15
00:00:51,720 –> 00:00:53,920
But the evidence tells a different story.
16
00:00:53,920 –> 00:00:57,280
Risky sign-ins are the earliest artifact that something is off
17
00:00:57,280 –> 00:01:01,680
and ignoring them quietly voids verify explicitly.
18
00:01:01,680 –> 00:01:03,400
Here’s what most teams miss.
19
00:01:03,400 –> 00:01:06,400
The Entra Identity stack splits your visibility.
20
00:01:06,400 –> 00:01:09,320
Risky sign-ins are a rolling 30-day window.
21
00:01:09,320 –> 00:01:13,600
Risk detections, like anomalous token or attacker in the middle,
22
00:01:13,600 –> 00:01:15,800
persist for 90 days.
23
00:01:15,800 –> 00:01:17,560
That asymmetry matters.
24
00:01:17,560 –> 00:01:21,880
The timelines reveal that when analysts only check risky sign-ins,
25
00:01:21,880 –> 00:01:26,160
they lose the earliest signals after a month and can’t reconstruct the path.
26
00:01:26,160 –> 00:01:29,640
OK, so basically, track three streams relentlessly,
27
00:01:29,640 –> 00:01:34,280
risky sign-ins, risk detections, and workload identity anomalies.
28
00:01:34,280 –> 00:01:35,880
Risky sign-ins show the attempt.
29
00:01:35,880 –> 00:01:37,800
Risk detections show the pattern.
30
00:01:37,800 –> 00:01:41,600
Workload identity anomalies surface service principles
31
00:01:41,600 –> 00:01:45,160
and managed identities behaving like users.
32
00:01:45,160 –> 00:01:47,640
Because attackers love app permissions
33
00:01:47,640 –> 00:01:50,320
that never get MFA prompts.
34
00:01:50,320 –> 00:01:53,480
High-value detections deserve priority triage.
35
00:01:53,480 –> 00:01:57,840
Anomalous token means a token is being replayed outside its expected envelope,
36
00:01:57,840 –> 00:01:59,480
classic session theft.
37
00:01:59,480 –> 00:02:04,240
Attacker in the middle indicates the sign-in-root brushed a malicious proxy.
38
00:02:04,240 –> 00:02:08,040
Unfamiliar sign-in-properties ties together odd combinations,
39
00:02:08,040 –> 00:02:11,840
new device, odd IP, unexpected client.
40
00:02:11,840 –> 00:02:13,840
The simple version is these three together
41
00:02:13,840 –> 00:02:16,920
raise the probability of credential misuse fast.
42
00:02:16,920 –> 00:02:18,320
Here’s the weird part.
43
00:02:18,320 –> 00:02:22,640
Conditional access often succeeds while the threat remains.
44
00:02:22,640 –> 00:02:25,320
A medium-risk sign-in prompts for MFA,
45
00:02:25,320 –> 00:02:30,800
the user passes and the session proceeds, policy says verified.
46
00:02:30,800 –> 00:02:32,840
The evidence suggests otherwise.
47
00:02:32,840 –> 00:02:35,560
Repeated medium-risk events over days
48
00:02:35,560 –> 00:02:38,840
correlates strongly with later data staging,
49
00:02:38,840 –> 00:02:42,520
therefore escalate repetition, not just severity.
50
00:02:42,520 –> 00:02:46,960
To make this actionable, join what the user did with why it was allowed,
51
00:02:46,960 –> 00:02:50,800
combine enter sign-in logs with conditional access evaluation.
52
00:02:50,800 –> 00:02:53,920
The goal for each successful authentication
53
00:02:53,920 –> 00:02:59,680
record the policy path, block MFA required session controls applied
54
00:02:59,680 –> 00:03:02,120
and tie it to the risk context.
55
00:03:02,120 –> 00:03:05,040
When a user gets through on require MFA,
56
00:03:05,040 –> 00:03:08,200
three times from unfamiliar properties in a week,
57
00:03:08,200 –> 00:03:11,760
that’s an investigation, not business as usual.
58
00:03:11,760 –> 00:03:13,920
Think of it like a bouncer with a checklist
59
00:03:13,920 –> 00:03:16,360
versus a detective with a case file.
60
00:03:16,360 –> 00:03:18,600
The bouncer sees an ID and lets them in.
61
00:03:18,600 –> 00:03:21,080
The detective builds a narrative across nights,
62
00:03:21,080 –> 00:03:24,120
noticing the same face with different stories.
63
00:03:24,120 –> 00:03:26,880
Your logs must act like the detective.
64
00:03:26,880 –> 00:03:29,280
Specifics that hold up in forensics,
65
00:03:29,280 –> 00:03:35,560
user ID, app ID, IP, device ID, and session ID equivalents.
66
00:03:35,560 –> 00:03:39,000
If session ID is missing, derive a session key from user ID
67
00:03:39,000 –> 00:03:41,680
plus app ID plus a 30-minute window.
68
00:03:41,680 –> 00:03:44,640
Risk detail and risk level at the event time.
69
00:03:44,640 –> 00:03:46,320
Don’t infer later.
70
00:03:46,320 –> 00:03:48,960
Conditional access policy outcome.
71
00:03:48,960 –> 00:03:52,000
Capture which policy tipped the decision.
72
00:03:52,000 –> 00:03:55,320
Upon closer examination, repeated medium risk
73
00:03:55,320 –> 00:03:58,840
with changing IP ranges is more predictive
74
00:03:58,840 –> 00:04:00,960
than a single high-risk spike.
75
00:04:00,960 –> 00:04:03,520
The counter-intuitive part is that automated blocks
76
00:04:03,520 –> 00:04:05,760
on high-risk are common.
77
00:04:05,760 –> 00:04:09,760
The slow drip of medium becomes the real lead.
78
00:04:09,760 –> 00:04:12,880
Escalate by count and diversity.
79
00:04:12,880 –> 00:04:17,440
Three medium risk sign-ins from three ASNs in seven days
80
00:04:17,440 –> 00:04:19,360
triggers a case.
81
00:04:19,360 –> 00:04:21,880
Microstory from a typical tenant.
82
00:04:21,880 –> 00:04:24,040
An account with no travel history
83
00:04:24,040 –> 00:04:31,560
shows medium risk sign-ins at 0214 0352 and 0510 UTC.
84
00:04:31,560 –> 00:04:35,240
Each require MFA all passed.
85
00:04:35,240 –> 00:04:38,000
The next morning SharePoint shows a new sink client
86
00:04:38,000 –> 00:04:38,920
registration.
87
00:04:38,920 –> 00:04:40,240
No alert fired.
88
00:04:40,240 –> 00:04:41,920
The evidence chain started here.
89
00:04:41,920 –> 00:04:44,440
Identity friction, then foothold.
90
00:04:44,440 –> 00:04:46,760
How to make it stick operationally.
91
00:04:46,760 –> 00:04:51,520
Alert when risky sign-ins count and per user in seven days
92
00:04:51,520 –> 00:04:53,920
with distinct client IP ranges.
93
00:04:53,920 –> 00:04:56,000
Alert when a workload identity suddenly
94
00:04:56,000 –> 00:05:00,400
authenticates from public IP space or gains API permissions.
95
00:05:00,400 –> 00:05:01,960
It never used.
96
00:05:01,960 –> 00:05:03,040
Quarantine logic.
97
00:05:03,040 –> 00:05:05,720
If risk, jishy, high and token anomaly
98
00:05:05,720 –> 00:05:09,320
present, force sign-out and require password reset.
99
00:05:09,320 –> 00:05:12,640
If repeated medium risk aligns with new device registration,
100
00:05:12,640 –> 00:05:14,760
flag for human review.
101
00:05:14,760 –> 00:05:17,880
Retention realities demand discipline.
102
00:05:17,880 –> 00:05:22,520
Export risky sign-ins weekly to preserve beyond 30 days
103
00:05:22,520 –> 00:05:26,800
and store risk detections for at least 180 days in your CM.
104
00:05:26,800 –> 00:05:28,600
The lesson is simple.
105
00:05:28,600 –> 00:05:31,080
If you can’t replay the first 12 hours,
106
00:05:31,080 –> 00:05:33,840
you can’t prove intent or sequence.
107
00:05:33,840 –> 00:05:35,320
Here’s what most people miss.
108
00:05:35,320 –> 00:05:37,760
Identity’s authenticate first.
109
00:05:37,760 –> 00:05:41,120
Lateral movement starts after the door opens.
110
00:05:41,120 –> 00:05:44,240
The sign in narrative is the prologue, not the story.
111
00:05:44,240 –> 00:05:48,360
With the verify or verify, the next step is to trace movement.
112
00:05:48,360 –> 00:05:51,760
The unified ledger will show where the access went,
113
00:05:51,760 –> 00:05:55,560
how privileges shifted, and when the data began to pool
114
00:05:55,560 –> 00:05:58,720
the unified audit log trace lateral movement
115
00:05:58,720 –> 00:06:00,160
across workloads.
116
00:06:00,160 –> 00:06:01,520
The door opened.
117
00:06:01,520 –> 00:06:03,560
Now the movement begins.
118
00:06:03,560 –> 00:06:05,880
The unified audit log is the ledger.
119
00:06:05,880 –> 00:06:09,160
One place where exchange, share point, one drive,
120
00:06:09,160 –> 00:06:12,720
teams, and admin actions write their traces.
121
00:06:12,720 –> 00:06:15,160
In this environment, nothing is accidental.
122
00:06:15,160 –> 00:06:17,680
Every escalation, every permission tweak,
123
00:06:17,680 –> 00:06:21,480
every quiet mailbox peak leaves residue here.
124
00:06:21,480 –> 00:06:23,680
If Entra told us who got in and why,
125
00:06:23,680 –> 00:06:27,000
the UAL tells us where they went and what changed.
126
00:06:27,000 –> 00:06:28,920
Why this matters is simple.
127
00:06:28,920 –> 00:06:33,400
Lateral movement in M365 is cross-service by design.
128
00:06:33,400 –> 00:06:35,320
Attackers don’t stay in one workload.
129
00:06:35,320 –> 00:06:36,240
They pivot.
130
00:06:36,240 –> 00:06:37,800
They add a forwarding rule.
131
00:06:37,800 –> 00:06:39,920
They grant a share point group edit rights.
132
00:06:39,920 –> 00:06:43,280
They enable a new sync client and they generate sharing links
133
00:06:43,280 –> 00:06:45,840
that bypass normal access paths.
134
00:06:45,840 –> 00:06:48,200
If you only watch one pane, you miss the sequence.
135
00:06:48,200 –> 00:06:49,840
The UAL stitches it.
136
00:06:49,840 –> 00:06:51,640
Here’s what most people miss.
137
00:06:51,640 –> 00:06:55,520
Critical events cluster before ex-filtration.
138
00:06:55,520 –> 00:06:59,280
Privilege changes, mailbox access by non-owners,
139
00:06:59,280 –> 00:07:02,360
and share point site permission edits in a narrow window
140
00:07:02,360 –> 00:07:03,720
are the tell.
141
00:07:03,720 –> 00:07:06,600
A mail forwarding rule to an external domain
142
00:07:06,600 –> 00:07:08,480
isn’t just a mail event.
143
00:07:08,480 –> 00:07:11,040
It’s an early warning that someone wants data
144
00:07:11,040 –> 00:07:13,080
to leave the tenant reliably.
145
00:07:13,080 –> 00:07:16,040
Pay that with a sudden burst of share point file
146
00:07:16,040 –> 00:07:20,600
downloaded and file access events and you have staging.
147
00:07:20,600 –> 00:07:22,680
OK, so basically you need three lenses,
148
00:07:22,680 –> 00:07:25,280
identity, privilege, and data movement.
149
00:07:25,280 –> 00:07:27,560
The identity lens keeps user-aid,
150
00:07:27,560 –> 00:07:29,680
app-aid, and client IP consistent.
151
00:07:29,680 –> 00:07:32,520
The privilege lens watches for AdMailbox permission,
152
00:07:32,520 –> 00:07:36,720
set mailbox, ad-unified group links, and role assignments.
153
00:07:36,720 –> 00:07:40,680
The data lens tracks file downloaded, file sync added,
154
00:07:40,680 –> 00:07:43,760
sharing link created, and access requests.
155
00:07:43,760 –> 00:07:46,920
The simple version is when privilege and data lenses
156
00:07:46,920 –> 00:07:51,280
spike together, that’s not collaboration, it’s preparation.
157
00:07:51,280 –> 00:07:55,040
The evidence suggests data staging has distinct signals.
158
00:07:55,040 –> 00:07:57,640
Mass downloads rarely look like a single endpoint
159
00:07:57,640 –> 00:07:58,920
pulling one folder.
160
00:07:58,920 –> 00:08:01,320
They arrive as parallel fetches from share point
161
00:08:01,320 –> 00:08:05,120
in one drive plus the quiet enabling of sync on a new device.
162
00:08:05,120 –> 00:08:08,360
Unusual creation of anonymous or company-wide sharing
163
00:08:08,360 –> 00:08:11,560
links appears when direct access would be noisy.
164
00:08:11,560 –> 00:08:14,760
And in exchange, rules that auto-forward, redirect,
165
00:08:14,760 –> 00:08:18,480
or BCC outbound mail surface just before the cutover
166
00:08:18,480 –> 00:08:20,720
to trace the artifact’s session eyes.
167
00:08:20,720 –> 00:08:23,600
UL doesn’t hand you a session ID, so build one.
168
00:08:23,600 –> 00:08:28,240
User ID plus client IP plus app ID within a 30, 45-minute window
169
00:08:28,240 –> 00:08:29,800
is a workable surrogate.
170
00:08:29,800 –> 00:08:34,560
Join adjacent events to build a path, permission change,
171
00:08:34,560 –> 00:08:41,080
access burst, sharing link creation, external forwarding.
172
00:08:41,080 –> 00:08:43,480
Did duplicate repetitive low-value noise
173
00:08:43,480 –> 00:08:47,120
like repeated heartbeat actions and keep the high entropy
174
00:08:47,120 –> 00:08:48,000
changes?
175
00:08:48,000 –> 00:08:49,920
Here’s the counter-intuitive part.
176
00:08:49,920 –> 00:08:53,680
Mass download by Countalone is a weak detector.
177
00:08:53,680 –> 00:08:55,640
People sync libraries.
178
00:08:55,640 –> 00:08:58,200
Instead, detect deltas.
179
00:08:58,200 –> 00:09:01,240
A user who normally reads 20 files per day suddenly
180
00:09:01,240 –> 00:09:05,480
touches 800 unique items across two sites in 30 minutes.
181
00:09:05,480 –> 00:09:08,640
And within that same window, a new sync relationship
182
00:09:08,640 –> 00:09:09,960
is established.
183
00:09:09,960 –> 00:09:11,760
In other words, change from baseline
184
00:09:11,760 –> 00:09:16,040
plus new capability is the indicator not raw volume.
185
00:09:16,040 –> 00:09:19,360
Kill chain reconstruction in the UAL works like this.
186
00:09:19,360 –> 00:09:23,200
Correlate set in-box rule or new in-box rule
187
00:09:23,200 –> 00:09:26,480
that forwards to an external domain with SharePoint file
188
00:09:26,480 –> 00:09:30,040
downloaded spikes within the same user session window.
189
00:09:30,040 –> 00:09:32,160
If you also see sharing link created
190
00:09:32,160 –> 00:09:36,920
with scope, anyone, or organization for sensitive libraries,
191
00:09:36,920 –> 00:09:40,360
you have both a primary and a fallback ex-fill route,
192
00:09:40,360 –> 00:09:43,640
add admin operations, add role group member,
193
00:09:43,640 –> 00:09:46,360
or site collection admin changes,
194
00:09:46,360 –> 00:09:48,960
and you can date the escalation that enabled it.
195
00:09:48,960 –> 00:09:52,120
Licensing and retention influence what you can prove.
196
00:09:52,120 –> 00:09:56,280
E3 gives you the core with many premium events now available,
197
00:09:56,280 –> 00:10:00,160
but purview audit premium adds high value events
198
00:10:00,160 –> 00:10:01,680
and longer look back.
199
00:10:01,680 –> 00:10:05,320
10-year retention exists, but only if you configure it
200
00:10:05,320 –> 00:10:07,840
and export or archive properly.
201
00:10:07,840 –> 00:10:12,840
Gaps happen in gesture delays, throttling API back-offs,
202
00:10:12,840 –> 00:10:14,480
build an export strategy.
203
00:10:14,480 –> 00:10:17,600
Stream UAL via the management activity API
204
00:10:17,600 –> 00:10:21,040
to a workspace you control, then normalize fields,
205
00:10:21,040 –> 00:10:23,840
so joins are consistent later.
206
00:10:23,840 –> 00:10:26,640
Practical mechanics matter.
207
00:10:26,640 –> 00:10:30,160
The management activity API delivers content blobs
208
00:10:30,160 –> 00:10:35,160
by record type, exchange, SharePoint, Azure AD, DLP.
209
00:10:35,160 –> 00:10:40,120
Normalize timestamps to UTC and index by user ID,
210
00:10:40,120 –> 00:10:45,120
client IP, source file name, object ID, and operation.
211
00:10:45,120 –> 00:10:49,160
For KQL and Sentinel, shape events into sessions
212
00:10:49,160 –> 00:10:51,120
and compute procession unique file count,
213
00:10:51,120 –> 00:10:54,240
unique site count, and privilege change flags.
214
00:10:54,240 –> 00:10:57,200
Dade up noisy operations by hashing on operation
215
00:10:57,200 –> 00:11:00,120
plus object ID plus five minute bucket.
216
00:11:00,120 –> 00:11:02,640
A micro story from a routine investigation,
217
00:11:02,640 –> 00:11:06,280
no malware alerts, but the UAL showed set mailbox
218
00:11:06,280 –> 00:11:09,360
to enable forwarding to customer mailbox outlook.
219
00:11:09,360 –> 00:11:12,720
Commit no 912, at 0918, sharing link
220
00:11:12,720 –> 00:11:17,240
created for a finance library with scope organization.
221
00:11:17,240 –> 00:11:21,520
At 0923, file sync added on a device never seen before.
222
00:11:21,520 –> 00:11:25,200
From 0924 to 0936100 unique,
223
00:11:25,200 –> 00:11:28,320
file downloaded events across finance and HR sites,
224
00:11:28,320 –> 00:11:29,800
no DLP triggers.
225
00:11:29,800 –> 00:11:32,000
The ledger told the story end to end.
226
00:11:32,000 –> 00:11:35,280
Alert logic should reflect chain patterns,
227
00:11:35,280 –> 00:11:37,760
not single events.
228
00:11:37,760 –> 00:11:41,280
If new inbox rule or set mailbox forwarding
229
00:11:41,280 –> 00:11:43,400
to an external domain occurs,
230
00:11:43,400 –> 00:11:47,640
and within 60 minutes, the same user ID shows SharePoint file
231
00:11:47,640 –> 00:11:52,400
downloaded rate above 95th percentile, raise high severity.
232
00:11:52,400 –> 00:11:55,800
If sharing link created scope widens on a sensitive site
233
00:11:55,800 –> 00:11:59,000
and a new sync relationship appears within 30 minutes,
234
00:11:59,000 –> 00:12:03,080
escalate to investigation even without high file counts.
235
00:12:03,080 –> 00:12:05,320
If ads, buzzer, or role assignments,
236
00:12:05,320 –> 00:12:08,520
expand site admin rights followed by access searches,
237
00:12:08,520 –> 00:12:09,760
trigger immediate review.
238
00:12:09,760 –> 00:12:12,520
For defensibility and scale, build suppression windows
239
00:12:12,520 –> 00:12:15,280
so you don’t page on legitimate migrations.
240
00:12:15,280 –> 00:12:17,840
Take sanctioned jobs by service principal EED
241
00:12:17,840 –> 00:12:20,520
or by an allow list of admin actors,
242
00:12:20,520 –> 00:12:24,080
and require change tickets to carry a correlation tag
243
00:12:24,080 –> 00:12:27,000
in the audit’s additional details field.
244
00:12:27,000 –> 00:12:30,280
If absent, treat spikes as suspicious.
245
00:12:30,280 –> 00:12:34,120
Retention and licensing aside, the key is correlation.
246
00:12:34,120 –> 00:12:38,920
The UAL is the cross workload ledger, use it to prove the path.
247
00:12:38,920 –> 00:12:40,640
When evidence is coherent,
248
00:12:40,640 –> 00:12:44,960
privileges expanded, access spiked, egress channels primed,
249
00:12:44,960 –> 00:12:47,600
you can move from suspicion to fact.
250
00:12:47,600 –> 00:12:50,000
And when the ledger goes quiet right before a spike,
251
00:12:50,000 –> 00:12:53,480
that silence is evidence too, often someone dim the lights.
252
00:12:53,480 –> 00:12:57,800
That’s where purview policy tampering becomes the next pivot.
253
00:12:57,800 –> 00:13:02,560
Purview retention and policy tampering, when the lights go out,
254
00:13:02,560 –> 00:13:05,920
the ledger shows movement, then the trace thins.
255
00:13:05,920 –> 00:13:08,040
When exfiltration is imminent,
256
00:13:08,040 –> 00:13:10,120
attackers don’t just move fast,
257
00:13:10,120 –> 00:13:11,800
they dim the room.
258
00:13:11,800 –> 00:13:14,320
Purview is where they reach for the switch.
259
00:13:14,320 –> 00:13:16,840
Retention policies, label publishing,
260
00:13:16,840 –> 00:13:20,480
and audit configuration edits are the quiet controls
261
00:13:20,480 –> 00:13:24,280
that decide whether evidence survives long enough to matter.
262
00:13:24,280 –> 00:13:27,840
If entra proves entry, and the UAL shows motion,
263
00:13:27,840 –> 00:13:31,600
purview changes explain why the record suddenly goes vague.
264
00:13:31,600 –> 00:13:33,720
Why this matters is simple.
265
00:13:33,720 –> 00:13:36,840
Disabling or weakening retention is the classic cover
266
00:13:36,840 –> 00:13:38,600
your tracks move.
267
00:13:38,600 –> 00:13:42,920
Zero trust assumes breach, but defensibility assumes immutable evidence.
268
00:13:42,920 –> 00:13:46,320
When retention shifts to retain none,
269
00:13:46,320 –> 00:13:50,960
when label policies stop applying to the sensitive sites under pressure,
270
00:13:50,960 –> 00:13:54,480
or when audit settings toggle the storyline breaks.
271
00:13:54,480 –> 00:13:58,560
In a forensic case, broken timelines aren’t a nuisance, they’re the point.
272
00:13:58,560 –> 00:14:00,200
What to track is precise.
273
00:14:00,200 –> 00:14:03,000
Three families of edits are high value.
274
00:14:03,000 –> 00:14:05,880
Retention policy changes, creation, scope edits,
275
00:14:05,880 –> 00:14:08,880
mode switches, retain, retain none.
276
00:14:08,880 –> 00:14:10,280
Deletion.
277
00:14:10,280 –> 00:14:14,880
Audit configuration changes, starting or stopping audit recording,
278
00:14:14,880 –> 00:14:17,360
audit log retention window changes,
279
00:14:17,360 –> 00:14:20,040
export connector adjustments.
280
00:14:20,040 –> 00:14:24,920
Label and policy publishing, sensitivity label modifications,
281
00:14:24,920 –> 00:14:28,720
auto labeling rules, changes to which sharepoint sites
282
00:14:28,720 –> 00:14:30,760
or exchange locations are in scope.
283
00:14:30,760 –> 00:14:33,360
Okay, so basically treat every policy added
284
00:14:33,360 –> 00:14:37,240
as a potential precursor or a complex to data movement.
285
00:14:37,240 –> 00:14:43,680
The evidence suggests that edits cluster before or within hours of access spikes.
286
00:14:43,680 –> 00:14:47,840
The simple version is privilege expands data flows,
287
00:14:47,840 –> 00:14:51,840
then someone trims retention to erase the trail.
288
00:14:51,840 –> 00:14:56,320
To trace the artifacts, align three timestamps in one view,
289
00:14:56,320 –> 00:15:00,120
who changed what policy, actor, object.
290
00:15:00,120 –> 00:15:05,200
The exact scope after change included locations, excluded sites, mode,
291
00:15:05,200 –> 00:15:09,920
and the adjacent UAL burst from the same department site or owner.
292
00:15:09,920 –> 00:15:13,400
Upon closer examination, alignment beats coincidence.
293
00:15:13,400 –> 00:15:19,680
When a finance retention policy loses the HR site two hours before that site records a mess download,
294
00:15:19,680 –> 00:15:22,360
it’s not hygiene, it’s staging.
295
00:15:22,360 –> 00:15:25,840
Alert patterns should be narrow and loud.
296
00:15:25,840 –> 00:15:31,080
Any retention policy set to do not retain on locations previously covered,
297
00:15:31,080 –> 00:15:33,760
raise high severity immediately.
298
00:15:33,760 –> 00:15:39,520
Disabling purview audit recording or reducing audit retention within seven days of privilege escalations,
299
00:15:39,520 –> 00:15:41,080
escalate to incident.
300
00:15:41,080 –> 00:15:47,840
Sensitivity label policy narrowing scope on sensitive sites within 24 hours of sharing link,
301
00:15:47,840 –> 00:15:50,320
created spikes, investigate,
302
00:15:50,320 –> 00:15:56,200
the counter-intuitive part, policy tampering often arrives via legitimate channels.
303
00:15:56,200 –> 00:16:00,560
A global admin toggle settings, the change looks like maintenance.
304
00:16:00,560 –> 00:16:07,240
Therefore, require dual control on retention edits and log the request identifier inside additional details,
305
00:16:07,240 –> 00:16:09,120
no change ticket ID, no change.
306
00:16:09,120 –> 00:16:11,560
In this environment, nothing is accidental.
307
00:16:11,560 –> 00:16:16,800
Operationally, build a policy change ledger with join keys.
308
00:16:16,800 –> 00:16:20,040
You can prove later, normalize actor.
309
00:16:20,040 –> 00:16:24,520
UPN, correlation ID and client IP.
310
00:16:24,520 –> 00:16:33,800
Capture before and after snapshots of policy, Jason, don’t store diffs only.
311
00:16:33,800 –> 00:16:36,200
Stamp a change.
312
00:16:36,200 –> 00:16:43,440
Intent field, maintenance, migration, incident, emergency, with a mandatory value.
313
00:16:43,440 –> 00:16:52,680
A micro story from a routine case, at 11.04, an admin reduced audit retention from 180 to 30 days.
314
00:16:52,680 –> 00:16:57,920
At 11.18, sensitivity label lost auto-apply on three high value sites.
315
00:16:57,920 –> 00:17:03,080
By 12.02, file sync added and file downloaded search to cross those sites.
316
00:17:03,080 –> 00:17:07,000
No DLP alarms, no errors, just less light.
317
00:17:07,000 –> 00:17:11,400
The policy edits weren’t noise, they were the setup.
318
00:17:11,400 –> 00:17:20,120
Compliance posture depends on immutable logs, purview audit, premium, helps with richer events and longer retention,
319
00:17:20,120 –> 00:17:22,840
but only if configured.
320
00:17:22,840 –> 00:17:31,040
Export policy change events to a controlled store with right-one semantics and mirror them to a secondary region for resilience.
321
00:17:31,040 –> 00:17:33,160
Assign accountable owners.
322
00:17:33,160 –> 00:17:37,640
One team can propose, a second approves, a third observes.
323
00:17:37,640 –> 00:17:39,600
The lesson is clinical.
324
00:17:39,600 –> 00:17:44,320
If the light switch is in reach of the suspect, your evidence is negotiable.
325
00:17:44,320 –> 00:17:50,560
Still, when the room dims, one surface can glow brighter than expected, co-pilot’s interactions.
326
00:17:50,560 –> 00:17:58,320
If data aggregation happens by AI, the footprints are different, summaries, source references, and cross-site touches.
327
00:17:58,320 –> 00:18:04,120
If those are logged, they’ll outline what text made it into the prompt in which files fed the answer.
328
00:18:04,120 –> 00:18:08,280
If they aren’t, we name the gap and compensate elsewhere.
329
00:18:08,280 –> 00:18:12,360
Co-pilot interaction logs, AI as an ex-fil multiplier.
330
00:18:12,360 –> 00:18:14,880
When the room dims, co-pilot can still see.
331
00:18:14,880 –> 00:18:16,160
That’s why it matters.
332
00:18:16,160 –> 00:18:21,040
Co-pilot aggregates across SharePoint and OneDrive at conversational speed,
333
00:18:21,040 –> 00:18:26,720
summarizing, comparing, and extracting patterns, humans would need hours to compile.
334
00:18:26,720 –> 00:18:29,520
If it touches a file to answer a prompt, that’s access.
335
00:18:29,520 –> 00:18:33,600
If that access isn’t logged, your zero-trust narrative fractures.
336
00:18:33,600 –> 00:18:37,200
Post-August 2024, the audit surface improved.
337
00:18:37,200 –> 00:18:42,480
Co-pilot interaction events now reference which service hosted the content when the model fetched it
338
00:18:42,480 –> 00:18:46,240
and pointers to the underlying files used to construct the answer.
339
00:18:46,240 –> 00:18:50,360
Before that fix, some interactions left little or no trace.
340
00:18:50,360 –> 00:18:54,880
Organizations must treat that period as a blind spot in their evidence chain.
341
00:18:54,880 –> 00:19:00,120
The timelines revealed that ex-fil by summary looked like ordinary collaboration
342
00:19:00,120 –> 00:19:03,040
unless you could tie the response back to file reads.
343
00:19:03,040 –> 00:19:10,480
Okay, so basically treat co-pilot like a high-speed research assistant whose bibliography is your evidence.
344
00:19:10,480 –> 00:19:17,000
The co-pilot schema in the management activity API links an interaction to content sources,
345
00:19:17,000 –> 00:19:22,640
SharePoint sites, OneDrive paths, message threads, and captures the user,
346
00:19:22,640 –> 00:19:28,680
the app surface, 8G, Word teams, M365, and the interaction time.
347
00:19:28,680 –> 00:19:35,400
The simple version is, if co-pilot’s answer required reading five libraries across finance and HR,
348
00:19:35,400 –> 00:19:41,480
those reads are auditable and should align with UAL file access and file downloaded events.
349
00:19:41,480 –> 00:19:43,080
Here’s what most people miss.
350
00:19:43,080 –> 00:19:45,920
Prompts can be broad and still look benign.
351
00:19:45,920 –> 00:19:52,240
Summary’s last quarter’s vendor disputes across finance and HR invites cross-site traversal.
352
00:19:52,240 –> 00:20:01,000
If the same user then exports the summary or copies the output into an external channel, co-pilot became a multiplier.
353
00:20:01,000 –> 00:20:04,400
The evidence suggests three high-risk behaviors.
354
00:20:04,400 –> 00:20:11,760
Unusually broad prompts that span business units, cross-site summaries followed by concentrated file touches,
355
00:20:11,760 –> 00:20:16,160
and export like actions immediately after an answer appears.
356
00:20:16,160 –> 00:20:18,880
To trace the artifacts, sessionize around the interaction.
357
00:20:18,880 –> 00:20:23,000
Build a 15 30-minute window keyed on user-eyed, app-ide, and client IP.
358
00:20:23,000 –> 00:20:33,840
Within that window, join co-pilot interaction events to UAL operations, file access, file previewed, and file downloaded.
359
00:20:33,840 –> 00:20:42,000
You’re looking for a pattern, prompt, surge of reads across multiple sensitive sites, downstream action,
360
00:20:42,000 –> 00:20:45,520
export, email forwarding, external share.
361
00:20:45,520 –> 00:20:51,760
Upon closer examination, the burst of reads often includes files the user has never accessed before.
362
00:20:51,760 –> 00:20:53,360
Novelty is a strong signal.
363
00:20:53,360 –> 00:20:55,440
Mitigation’s rely on scope and friction.
364
00:20:55,440 –> 00:20:58,200
Least privilege data access isn’t optional.
365
00:20:58,200 –> 00:21:00,840
Co-pilot only sees what the user sees.
366
00:21:00,840 –> 00:21:06,920
Harden your information architecture, sensitivity labels that actually gate access.
367
00:21:06,920 –> 00:21:08,760
Not just watermark.
368
00:21:08,760 –> 00:21:16,040
Use conditional access to restrict AI apps from risky sign-in contexts or unmanage devices.
369
00:21:16,040 –> 00:21:19,000
Align DLP with AI outputs.
370
00:21:19,000 –> 00:21:25,200
Treat co-pilot responses as content that can trigger policies, not just the source files.
371
00:21:25,200 –> 00:21:28,120
Alert logic should be compound, not atomic.
372
00:21:28,120 –> 00:21:34,960
If a co-pilot interaction references more than n distinct sites classified as sensitive within 20 minutes,
373
00:21:34,960 –> 00:21:41,480
and the same session shows UAL reads from those sites, raise medium severity.
374
00:21:41,480 –> 00:21:47,800
If a co-pilot interaction is followed within 10 minutes by sharing link created with scope organization
375
00:21:47,800 –> 00:21:51,680
or anyone for any referenced file escalate to high.
376
00:21:51,680 –> 00:21:58,360
If a user with repeated medium risk sign-ins initiates co-pilot interactions touching files,
377
00:21:58,360 –> 00:22:00,560
they’ve never accessed in 90 days.
378
00:22:00,560 –> 00:22:01,880
Open a case.
379
00:22:01,880 –> 00:22:07,920
The counter-intuitive part co-pilot itself isn’t the leak, the export is.
380
00:22:07,920 –> 00:22:15,920
Monitor the egress channels tied to AI outputs, paced into external chats, downloads of generated documents,
381
00:22:15,920 –> 00:22:23,000
e-mail to external domains, the linkages the proof, co-pilot interaction D, referenced files,
382
00:22:23,000 –> 00:22:25,760
new artifact created or sent.
383
00:22:25,760 –> 00:22:31,680
In other words, the summary was the staging, the send was the theft, operational practices matter,
384
00:22:31,680 –> 00:22:37,320
tag-sensitive repositories clearly so co-pilot source references map to risk tiers,
385
00:22:37,320 –> 00:22:47,280
built KQL that aggregates co-pilot, interaction by user-eyed and counts distinct site UAL’s referenced procession,
386
00:22:47,280 –> 00:22:51,480
joins to UAL to count unique object-eyed reads in that session.
387
00:22:51,480 –> 00:22:57,320
Flag’s novelty rate, percentage of files first seen for that user in 180 days.
388
00:22:57,320 –> 00:23:06,760
A micro-story from a quiet case, 0841, co-pilot interaction in teams, broad prompt spanning finance and HR disputes,
389
00:23:06,760 –> 00:23:10,680
0842, 0846, 420.
390
00:23:10,680 –> 00:23:17,760
File accessed across two finance libraries and one HR site, user had no prior history with 90% of them.
391
00:23:17,760 –> 00:23:22,080
0847, a new word doc created with extracted bullet points,
392
00:23:22,080 –> 00:23:31,640
0849, sharing link created scope organization on that doc, 0852 email sent externally with the doc attached,
393
00:23:31,640 –> 00:23:39,200
no DLP hit on the source files, the generated file slipped past profile-based rules.
394
00:23:39,200 –> 00:23:47,480
The interaction log was the hinge, without it, the narrative looks like unrelated reads and a normal email.
395
00:23:47,480 –> 00:23:53,440
In the end, co-pilot is an amplifier, with clean logs it’s a transparent amplifier, without them it’s a silent one,
396
00:23:53,440 –> 00:23:59,920
tie the interaction to the reads and the egress and the multiplier becomes measurable and stoppable.
397
00:23:59,920 –> 00:24:05,920
The case, reconstructing a quiet data exfiltration, it started with an ordinary identity,
398
00:24:05,920 –> 00:24:11,600
one mailbox, one workstation, a predictable schedule, the anomaly arrived quietly,
399
00:24:11,600 –> 00:24:23,680
three medium-risk sign-ins spread over a week, each require MFA, each successful, no device, non-compliance, no malware, just friction, then passage.
400
00:24:23,680 –> 00:24:27,000
The evidence suggests the door opened and stated jar.
401
00:24:27,000 –> 00:24:35,800
Day 1, 0214 UTC, Entra flags unfamiliar sign-in properties from an ASN the user has never touched,
402
00:24:35,800 –> 00:24:40,280
conditional access requires MFA success.
403
00:24:40,280 –> 00:24:47,720
Nothing else, day 3, 0352, different IP range, same city profile, same medium risk,
404
00:24:47,720 –> 00:24:55,320
another successful MFA, day 6, 0510, a third ASN still medium-risk still allowed, the pattern matters,
405
00:24:55,320 –> 00:25:01,560
repetition with variation, new networks, same user, consistent allow.
406
00:25:01,560 –> 00:25:07,600
Upon closer examination, that sequence is how an attacker builds confidence,
407
00:25:07,600 –> 00:25:10,880
that enforcement can be satisfied on demand.
408
00:25:10,880 –> 00:25:12,360
The ledger picks up the trail.
409
00:25:12,360 –> 00:25:18,840
At 0742 on day 6, the UAL Records Device Sync client registration for one drive,
410
00:25:18,840 –> 00:25:23,160
file sync added on a machine never seen in the tenant for this user.
411
00:25:23,160 –> 00:25:29,600
Six minutes later, sharing link created across two SharePoint sites, Finance and HR,
412
00:25:29,600 –> 00:25:32,200
Scopes widened to organization.
413
00:25:32,200 –> 00:25:40,720
Within the next 12 minutes, file downloaded and file access spike, 1,100 unique items,
414
00:25:40,720 –> 00:25:47,200
parallelized across libraries with access patterns that don’t resemble normal search or browsing.
415
00:25:47,200 –> 00:25:52,200
Still no DLP trigger, the evidence suggests staging, not collaboration.
416
00:25:52,200 –> 00:25:53,960
Here’s what most people miss.
417
00:25:53,960 –> 00:25:57,080
Privilege adjustments hid in plain sight.
418
00:25:57,080 –> 00:26:05,280
At 0758, Add Spuser adds the user to a site group with edit rights on the finance site.
419
00:26:05,280 –> 00:26:11,320
The actor appears to be a delegated admin account, with a legitimate service principle history,
420
00:26:11,320 –> 00:26:14,720
but the timing doesn’t align with any approved change ticket.
421
00:26:14,720 –> 00:26:19,240
The counter intuitive part is that the privilege change wasn’t maximal, it was just enough
422
00:26:19,240 –> 00:26:22,160
to remove friction from sync and link creation.
423
00:26:22,160 –> 00:26:23,840
Least change, greatest effect.
424
00:26:23,840 –> 00:26:26,520
Email provides an aggressive contour.
425
00:26:26,520 –> 00:26:32,200
At 0803, Set Inbox Rule enables forwarding of all mail with report or statement in the subject
426
00:26:32,200 –> 00:26:37,880
to a consumer domain, it scoped, not global, subtle enough to evade course alerts.
427
00:26:37,880 –> 00:26:43,160
A low volume trickle begins, but it’s not the main channel, it’s a contingency.
428
00:26:43,160 –> 00:26:45,440
Perview shifts explain the dimming.
429
00:26:45,440 –> 00:26:51,000
At 0921, a retention policy scoped to Finance reduces coverage.
430
00:26:51,000 –> 00:26:55,160
One HR site is excluded temporarily for migration.
431
00:26:55,160 –> 00:26:58,880
The additional details field lacks a change ticket ID.
432
00:26:58,880 –> 00:27:03,400
19 minutes later, the Finance policy toggles from retained to retained none for temporary
433
00:27:03,400 –> 00:27:06,800
cleanup applied to a subset of libraries.
434
00:27:06,800 –> 00:27:12,040
No audit recording change yet, just the survivability of content altered.
435
00:27:12,040 –> 00:27:15,040
The timelines reveal the correlation.
436
00:27:15,040 –> 00:27:18,600
Policy reduction precedes the heaviest access bursts.
437
00:27:18,600 –> 00:27:27,320
O-pilot ties the aggregation. At 0949, a co-pilot interaction in teams, a broad prompt.
438
00:27:27,320 –> 00:27:32,880
Summarize vendor disputes and payout variances across Finance and HR for Q2.
439
00:27:32,880 –> 00:27:38,240
From 0949 to 0955, the interaction references three sensitive sites.
440
00:27:38,240 –> 00:27:40,200
UL mirrors the surge.
441
00:27:40,200 –> 00:27:43,840
File access to cross libraries where the user has minimal history.
442
00:27:43,840 –> 00:27:49,320
At 0957, a new word document appears, extracted bullets and totals.
443
00:27:49,320 –> 00:27:52,920
A tenoc sharing link created scope organization on that dock.
444
00:27:52,920 –> 00:27:56,680
A 1003 in email to an external address carries the attachment.
445
00:27:56,680 –> 00:27:58,240
No DLP hit.
446
00:27:58,240 –> 00:28:02,720
The generated document didn’t match the legacy policy fingerprint.
447
00:28:02,720 –> 00:28:06,080
The pivot that exposed data staging wasn’t the file count.
448
00:28:06,080 –> 00:28:07,520
It was the pairing.
449
00:28:07,520 –> 00:28:12,520
New sync relationship plus widened sharing links within the same session window.
450
00:28:12,520 –> 00:28:18,200
Every time that duo appears alongside a novelty spike, files the user has never touched.
451
00:28:18,200 –> 00:28:20,960
It predicts ex-filtration within the hour.
452
00:28:20,960 –> 00:28:23,000
In this environment, nothing is accidental.
453
00:28:23,000 –> 00:28:26,040
The reconstructed timeline is clinical.
454
00:28:26,040 –> 00:28:32,200
Repeated medium-risk sign-ins from diverse ASNs allowed via MFA.
455
00:28:32,200 –> 00:28:37,320
New sync client registration followed by organization-scoped sharing links.
456
00:28:37,320 –> 00:28:43,920
And forwarding rule creation in exchange, narrow, persistent, secondary egress.
457
00:28:43,920 –> 00:28:48,040
Per view retention narrowing on involved sites.
458
00:28:48,040 –> 00:28:50,040
Change ticket absent.
459
00:28:50,040 –> 00:28:51,880
Language temporary.
460
00:28:51,880 –> 00:28:55,200
Copilot interaction spanning finance and HR.
461
00:28:55,200 –> 00:28:57,880
Source references to sensitive libraries.
462
00:28:57,880 –> 00:28:59,560
Burst of novel reads.
463
00:28:59,560 –> 00:29:01,560
Generated documents shared internally.
464
00:29:01,560 –> 00:29:03,080
Then sent externally.
465
00:29:03,080 –> 00:29:05,200
No DLP interception.
466
00:29:05,200 –> 00:29:06,920
Forensic conclusion.
467
00:29:06,920 –> 00:29:08,320
Quality risks at the stage.
468
00:29:08,320 –> 00:29:11,120
The UL recorded staging behaviors.
469
00:29:11,120 –> 00:29:14,640
Per view edits attempted to weaken evidence durability.
470
00:29:14,640 –> 00:29:17,280
Copilot accelerated aggregation.
471
00:29:17,280 –> 00:29:19,520
Exchange rules provided continuity.
472
00:29:19,520 –> 00:29:23,360
Together they form a coherent ex-filtration pattern.
473
00:29:23,360 –> 00:29:24,760
Low noise.
474
00:29:24,760 –> 00:29:26,960
Policy compliant on paper.
475
00:29:26,960 –> 00:29:29,480
Detectable only when the artifacts are correlated.
476
00:29:29,480 –> 00:29:31,320
The lesson extends to control.
477
00:29:31,320 –> 00:29:36,360
The detection that would have interrupted this case requires compound logic.
478
00:29:36,360 –> 00:29:39,760
Interacted medium risk sign-ins within 7 days.
479
00:29:39,760 –> 00:29:42,560
New file sync added for the user.
480
00:29:42,560 –> 00:29:47,280
Sharing link created with widened scope on sensitive sites.
481
00:29:47,280 –> 00:29:49,560
Novelty rate above threshold.
482
00:29:49,560 –> 00:29:51,040
Optional copilot.
483
00:29:51,040 –> 00:29:54,120
Interaction touching cross-domain content.
484
00:29:54,120 –> 00:29:59,640
Any retention policy scope change on those sites inside a 2 hour window.
485
00:29:59,640 –> 00:30:01,080
Trigger a containment play.
486
00:30:01,080 –> 00:30:07,080
For sign-out, revoke refresh tokens, block sync app ID and lock sharing scope pending review.
487
00:30:07,080 –> 00:30:09,280
In the end the case isn’t unusual.
488
00:30:09,280 –> 00:30:15,040
Its ordinary movement identity, privilege, data, egress, masquerading as business.
489
00:30:15,040 –> 00:30:16,160
The artifacts are there.
490
00:30:16,160 –> 00:30:20,720
The question is whether you correlate them before the silence returns.
491
00:30:20,720 –> 00:30:23,400
Operationalizing zero trust evidence.
492
00:30:23,400 –> 00:30:27,200
Queries, alerts, dashboards, automation.
493
00:30:27,200 –> 00:30:39,440
Enable the data, codify the detections and wire response parts that a human can trust.
494
00:30:39,440 –> 00:30:40,960
Enablement comes first.
495
00:30:40,960 –> 00:30:44,920
Verify these are on and flowing to a workspace you control.
496
00:30:44,920 –> 00:30:47,000
Entra, ID, protection.
497
00:30:47,000 –> 00:30:48,000
Risk telemetry.
498
00:30:48,000 –> 00:30:49,000
Risky sign-ins.
499
00:30:49,000 –> 00:30:50,000
Risk detections.
500
00:30:50,000 –> 00:30:51,000
Workload.
501
00:30:51,000 –> 00:30:52,000
Identity.
502
00:30:52,000 –> 00:30:53,000
Enomalies.
503
00:30:53,000 –> 00:30:54,000
Per-view audit.
504
00:30:54,000 –> 00:30:55,800
Unified audit.
505
00:30:55,800 –> 00:30:58,800
Work with premium events where licensed.
506
00:30:58,800 –> 00:31:02,280
Set retention beyond investigation horizons.
507
00:31:02,280 –> 00:31:07,560
Copilot interaction logs via the management activity API copilot schema.
508
00:31:07,560 –> 00:31:14,080
Exchange mailbox auditing and SharePoint OneDrive workloads included in audit scope.
509
00:31:14,080 –> 00:31:16,520
Stream all of it to a consistent store.
510
00:31:16,520 –> 00:31:20,360
Microsoft Sentinel or log analytics for KQL.
511
00:31:20,360 –> 00:31:26,160
If you rely only on portal views, your 30 and 90 day windows will erase context mid-case.
512
00:31:26,160 –> 00:31:29,520
KQL building blocks start with sessionization.
513
00:31:29,520 –> 00:31:32,360
The ledger doesn’t hand you a session key.
514
00:31:32,360 –> 00:31:34,080
Derive one.
515
00:31:34,080 –> 00:31:40,000
Compute session key equals hash, user id plus app ID plus client IP plus BN, time generated
516
00:31:40,000 –> 00:31:41,800
30M.
517
00:31:41,800 –> 00:31:44,120
Maintain per session key aggregates.
518
00:31:44,120 –> 00:31:50,120
Unique files, unique sites, privilege change flag, sharing scope, widened, sync enabled
519
00:31:50,120 –> 00:31:52,120
flag, novelty rate.
520
00:31:52,120 –> 00:31:56,280
Mass access deltas are not raw counts, they’re changed from baseline.
521
00:31:56,280 –> 00:32:02,920
Build a per user rolling baseline of unique files, touched per 30 minute bin and flag any
522
00:32:02,920 –> 00:32:06,560
bin P95 for that user and workload.
523
00:32:06,560 –> 00:32:08,120
Add a novelty rate.
524
00:32:08,120 –> 00:32:09,440
Percentage of objects.
525
00:32:09,440 –> 00:32:12,920
First seen by that user in 180 days.
526
00:32:12,920 –> 00:32:15,360
High count with high novelty is staging.
527
00:32:15,360 –> 00:32:18,840
High count with low novelty is often normal sync.
528
00:32:18,840 –> 00:32:24,320
Detection recipes must reflect the case pattern, not isolated spikes.
529
00:32:24,320 –> 00:32:28,840
Recipe one repeated medium risk sign-ins staging.
530
00:32:28,840 –> 00:32:29,840
Join identity.
531
00:32:29,840 –> 00:32:32,840
Info a summarize count e.a.
532
00:32:32,840 –> 00:32:35,280
De-count client IP.
533
00:32:35,280 –> 00:32:36,280
Make set.
534
00:32:36,280 –> 00:32:38,960
Risk detail by user id.
535
00:32:38,960 –> 00:32:42,480
BN, time generated 70.
536
00:32:42,480 –> 00:32:47,560
Risk level where risk level equals medium and count.
537
00:32:47,560 –> 00:32:51,040
A three and decount client IP.
538
00:32:51,040 –> 00:32:54,640
E three left join to any conditional access.
539
00:32:54,640 –> 00:32:55,640
Outcome.
540
00:32:55,640 –> 00:33:00,360
E E E MFA required successes.
541
00:33:00,360 –> 00:33:04,320
Output user id when criteria hold.
542
00:33:04,320 –> 00:33:11,920
Recipe two new sync plus sharing scope widened plus novelty spike.
543
00:33:11,920 –> 00:33:15,360
Identify file sync added or device sync.
544
00:33:15,360 –> 00:33:19,760
Identify registration events per user within 60 minutes.
545
00:33:19,760 –> 00:33:22,200
Check for sharing link.
546
00:33:22,200 –> 00:33:26,200
Created where link scope in organization anonymous.
547
00:33:26,200 –> 00:33:31,600
In same session key, unique files, user P95 and novelty rate.
548
00:33:31,600 –> 00:33:36,440
Seven raise high severity if site sensitivity is high.
549
00:33:36,440 –> 00:33:41,040
Recipe three forwarding rule plus access burst.
550
00:33:41,040 –> 00:33:49,100
And set inbox rule, new inbox rule where forward two or redirect two external domains within
551
00:33:49,100 –> 00:33:54,800
60 minutes in same session key share point file downloaded.
552
00:33:54,800 –> 00:34:02,120
User P95 elevate if rule uses subject filters to evade volume based alerts.
553
00:34:02,120 –> 00:34:06,800
Recipe four, purview policy change proximity.
554
00:34:06,800 –> 00:34:14,280
Site retention policy edits where mode change to do not retain or excluded locations increased
555
00:34:14,280 –> 00:34:19,880
correlate to any access spike on affected locations within two hours.
556
00:34:19,880 –> 00:34:25,640
If additional details lacks change ticket ID mark as suspicious.
557
00:34:25,640 –> 00:34:32,560
Recipe five, co-pilot cross-site interaction plus egress for co-pilot interaction.
558
00:34:32,560 –> 00:34:37,440
And distinct site URL referenced in 20 minutes.
559
00:34:37,440 –> 00:34:43,720
If distinct sites threshold and novelty rate high, then check for downstream sharing link
560
00:34:43,720 –> 00:34:47,880
created or file expo RT within 10 minutes.
561
00:34:47,880 –> 00:34:52,320
Elevate if user has active risk sign in recipe hit in past 7 days.
562
00:34:52,320 –> 00:34:57,960
Turn recipes into alert rules with clear thresholds, suppression and escalation.
563
00:34:57,960 –> 00:34:59,880
Alert thresholds.
564
00:34:59,880 –> 00:35:01,520
Update medium risk.
565
00:35:01,520 –> 00:35:03,200
Three events.
566
00:35:03,200 –> 00:35:06,600
Seven days from 3 plus ASNs.
567
00:35:06,600 –> 00:35:09,960
Suppress for 48 hours after case open.
568
00:35:09,960 –> 00:35:13,240
Sync plus scope widen plus novelty.
569
00:35:13,240 –> 00:35:15,760
Any occurrence on sensitive sites.
570
00:35:15,760 –> 00:35:19,760
No suppression unless tagged change window.
571
00:35:19,760 –> 00:35:22,160
Forwarding rule plus burst.
572
00:35:22,160 –> 00:35:23,840
Any occurrence.
573
00:35:23,840 –> 00:35:26,200
Suppress for known migration tags.
574
00:35:26,200 –> 00:35:30,040
Per view.
575
00:35:30,040 –> 00:35:34,080
No suppression without dual approval ticket.
576
00:35:34,080 –> 00:35:36,560
Co-pilot cross-site plus egress.
577
00:35:36,560 –> 00:35:40,280
Two plus sensitive sites and downstream share export.
578
00:35:40,280 –> 00:35:44,040
Suppress per user for 12 hours post investigation note.
579
00:35:44,040 –> 00:35:46,920
Suppression windows prevent noise during sanctioned work.
580
00:35:46,920 –> 00:35:49,840
Tag allowed operations using service principle.
581
00:35:49,840 –> 00:35:52,800
It allow list for migration tooling.
582
00:35:52,800 –> 00:35:57,680
Local details change ticket ID from cab approved changes.
583
00:35:57,680 –> 00:36:03,320
Known admin uPN allow list for break glass with time-bounded exceptions.
584
00:36:03,320 –> 00:36:06,800
Escalation paths need human eyes at the right moment.
585
00:36:06,800 –> 00:36:07,800
Define tiers.
586
00:36:07,800 –> 00:36:10,560
Tier one identity friction patterns.
587
00:36:10,560 –> 00:36:11,560
Recipe one.
588
00:36:11,560 –> 00:36:12,560
Root two identity.
589
00:36:12,560 –> 00:36:13,560
SecOps.
590
00:36:13,560 –> 00:36:15,320
SLA for business hours.
591
00:36:15,320 –> 00:36:16,920
Tier two.
592
00:36:16,920 –> 00:36:18,320
Data staging.
593
00:36:18,320 –> 00:36:20,520
Recipe two three five.
594
00:36:20,520 –> 00:36:22,360
Root to data protection.
595
00:36:22,360 –> 00:36:24,360
SLA one hour.
596
00:36:24,360 –> 00:36:25,360
Tier.
597
00:36:25,360 –> 00:36:26,360
Per view tampering.
598
00:36:26,360 –> 00:36:27,360
Recipe four.
599
00:36:27,360 –> 00:36:29,360
Root to incident commander.
600
00:36:29,360 –> 00:36:32,600
SLA 15 minutes and auto containment.
601
00:36:32,600 –> 00:36:35,440
Dashboards are where patterns become obvious.
602
00:36:35,440 –> 00:36:41,120
Build three power bi tile sets sourced from your log analytics tables.
603
00:36:41,120 –> 00:36:43,280
Identity risk trend.
604
00:36:43,280 –> 00:36:47,640
Per user and per department counts of medium and high risk.
605
00:36:47,640 –> 00:36:56,160
Highlight users crossing the three and seven threshold.
606
00:36:56,160 –> 00:36:57,480
Staging hotspots.
607
00:36:57,480 –> 00:37:01,800
Map of sites with recent spikes in unique files and novelty rate.
608
00:37:01,800 –> 00:37:05,920
Overlaid with sharing scope widened and synkinabled flag counts.
609
00:37:05,920 –> 00:37:09,280
Include a filter for sensitivity labels.
610
00:37:09,280 –> 00:37:11,000
Policy change heat map.
611
00:37:11,000 –> 00:37:14,840
Calendar view of retention and label policy edits with impact score.
612
00:37:14,840 –> 00:37:20,760
Settings touched X sensitivity and correlation markers for adjacent access spikes.
613
00:37:20,760 –> 00:37:26,440
At a ledger view for investigations timeline strip per session key.
614
00:37:26,440 –> 00:37:31,800
Showing icons for privilege changes sync enablement sharing scope.
615
00:37:31,800 –> 00:37:36,080
Co-pilot interactions forwarding rules and export events.
616
00:37:36,080 –> 00:37:40,600
The analyst shouldn’t reconstruct mentally let the timeline tell it.
617
00:37:40,600 –> 00:37:48,280
In Titans the loop use Sentinel playbooks logic apps for containment and notification for
618
00:37:48,280 –> 00:37:58,080
tier two and tier E auto execute revoke Azure AD user all refresh tokens invalidate sessions
619
00:37:58,080 –> 00:38:06,480
for targeted app IDs share point one drive disable new sync on the user via graph set external
620
00:38:06,480 –> 00:38:13,160
sharing on impacted sites to existing guests temporarily locked down sharing scope by calling
621
00:38:13,160 –> 00:38:19,040
SharePoint admin API to revert link scopes on affected sites quarantine generated docs
622
00:38:19,040 –> 00:38:24,800
by applying a hold incident sensitivity label via graph and moving to a secured library
623
00:38:24,800 –> 00:38:32,040
with a legal hold created ticket in your ITSM with the full artifact set user ID session
624
00:38:32,040 –> 00:38:40,240
key queries used affected sites policy diff and a preservation link use power automate for
625
00:38:40,240 –> 00:38:47,280
analyst assist when an alert fires auto compile a briefing last seven days of identity
626
00:38:47,280 –> 00:38:54,600
risk last 24 hours of ual for the user ID policy changes nearby and a list of novel files
627
00:38:54,600 –> 00:39:01,000
touched delivered to a team’s incident channel if the analyst marks benign migration right
628
00:39:01,000 –> 00:39:07,080
back a tag into a reference list so future alerts suppress during that change window governance
629
00:39:07,080 –> 00:39:13,200
cement’s credibility assigned log ownership identity telemetry owner ensures risky sign-ins
630
00:39:13,200 –> 00:39:19,400
and detections export weekly beyond native retention audit owner validates ual ingestion
631
00:39:19,400 –> 00:39:27,200
completeness and reconciles ingestion gaps daily policy owner enforces dual control on retention
632
00:39:27,200 –> 00:39:34,040
and maintains the change ticket ID mandate evidence custodian manages worm storage and secondary
633
00:39:34,040 –> 00:39:40,360
region mirroring for policy edits and alerts snapshots define retention s la’s aligned
634
00:39:40,360 –> 00:39:47,240
to your investigative reality 180 days minimum for risky sign-ins and detections one year for
635
00:39:47,240 –> 00:39:54,840
ual 10 years for policy changes and incident evidence bundles if licensing limits apply export
636
00:39:54,840 –> 00:40:01,840
to your cm and enforce immutability at the storage layer finally preservation procedures when
637
00:40:01,840 –> 00:40:07,240
any tier two or tier alert opens auto freeze the related artifacts copy the relevant rose
638
00:40:07,240 –> 00:40:14,000
to a locked table export the policy jason snapshots and capture hashes of generated documents
639
00:40:14,000 –> 00:40:19,600
in this environment nothing is accidental your chain of custody shouldn’t be either with
640
00:40:19,600 –> 00:40:26,440
evidence operationalized zero trust stops being a promise and becomes a record the only remaining
641
00:40:26,440 –> 00:40:33,360
step is to make the lesson explicit zero trust only works when identities actions policy
642
00:40:33,360 –> 00:40:39,240
edits and a i access are correlated into one defensible narrative turn that into practice
643
00:40:39,240 –> 00:40:47,080
now enable the four log sources deploy the detection recipes and use the starter KQL
644
00:40:47,080 –> 00:40:54,400
Sentinel playbooks and power b i dashboards linked here to convert traces into response subscribe
645
00:40:54,400 –> 00:40:58,240
for the deeper walkthrough and grab the query pack in the next podcast
