The M365 Audit Logs You're Ignoring: Why Zero Trust is a Lie Without Them

1
00:00:00,000 --> 00:00:02,560
It started with a warning, then silence.

2
00:00:02,560 --> 00:00:07,080
A single account pulled down 12,000 files from SharePoint in under 20 minutes.

3
00:00:07,080 --> 00:00:10,720
No malware, no DLP alert, no blocked session.

4
00:00:10,720 --> 00:00:14,080
The Zero Trust controls all said "allowed".

5
00:00:14,080 --> 00:00:18,240
Here's the problem. Zero Trust without audit evidence is policy theater.

6
00:00:18,240 --> 00:00:21,240
Verification isn't a checkbox. It's a trail.

7
00:00:21,240 --> 00:00:26,960
Today, we'll trace four log sources that turn suspicion into proof and prevention.

8
00:00:26,960 --> 00:00:31,040
We'll pull Entra sign-in-risk, the unified audit log, purview policy edits,

9
00:00:31,040 --> 00:00:33,680
and co-pilot interactions into one timeline.

10
00:00:33,680 --> 00:00:36,800
There's one log pivot that exposes data staging every time.

11
00:00:36,800 --> 00:00:40,040
We'll get to it. First, verify the verifier.

12
00:00:40,040 --> 00:00:44,120
Entra ID sign-in and risk verify the verifier.

13
00:00:44,120 --> 00:00:46,560
Every breach begins with an identity.

14
00:00:46,560 --> 00:00:51,720
The controls look solid. Conditional access, MFA, compliant devices.

15
00:00:51,720 --> 00:00:53,920
But the evidence tells a different story.

16
00:00:53,920 --> 00:00:57,280
Risky sign-ins are the earliest artifact that something is off

17
00:00:57,280 --> 00:01:01,680
and ignoring them quietly voids verify explicitly.

18
00:01:01,680 --> 00:01:03,400
Here's what most teams miss.

19
00:01:03,400 --> 00:01:06,400
The Entra Identity stack splits your visibility.

20
00:01:06,400 --> 00:01:09,320
Risky sign-ins are a rolling 30-day window.

21
00:01:09,320 --> 00:01:13,600
Risk detections, like anomalous token or attacker in the middle,

22
00:01:13,600 --> 00:01:15,800
persist for 90 days.

23
00:01:15,800 --> 00:01:17,560
That asymmetry matters.

24
00:01:17,560 --> 00:01:21,880
The timelines reveal that when analysts only check risky sign-ins,

25
00:01:21,880 --> 00:01:26,160
they lose the earliest signals after a month and can't reconstruct the path.

26
00:01:26,160 --> 00:01:29,640
OK, so basically, track three streams relentlessly,

27
00:01:29,640 --> 00:01:34,280
risky sign-ins, risk detections, and workload identity anomalies.

28
00:01:34,280 --> 00:01:35,880
Risky sign-ins show the attempt.

29
00:01:35,880 --> 00:01:37,800
Risk detections show the pattern.

30
00:01:37,800 --> 00:01:41,600
Workload identity anomalies surface service principles

31
00:01:41,600 --> 00:01:45,160
and managed identities behaving like users.

32
00:01:45,160 --> 00:01:47,640
Because attackers love app permissions

33
00:01:47,640 --> 00:01:50,320
that never get MFA prompts.

34
00:01:50,320 --> 00:01:53,480
High-value detections deserve priority triage.

35
00:01:53,480 --> 00:01:57,840
Anomalous token means a token is being replayed outside its expected envelope,

36
00:01:57,840 --> 00:01:59,480
classic session theft.

37
00:01:59,480 --> 00:02:04,240
Attacker in the middle indicates the sign-in-root brushed a malicious proxy.

38
00:02:04,240 --> 00:02:08,040
Unfamiliar sign-in-properties ties together odd combinations,

39
00:02:08,040 --> 00:02:11,840
new device, odd IP, unexpected client.

40
00:02:11,840 --> 00:02:13,840
The simple version is these three together

41
00:02:13,840 --> 00:02:16,920
raise the probability of credential misuse fast.

42
00:02:16,920 --> 00:02:18,320
Here's the weird part.

43
00:02:18,320 --> 00:02:22,640
Conditional access often succeeds while the threat remains.

44
00:02:22,640 --> 00:02:25,320
A medium-risk sign-in prompts for MFA,

45
00:02:25,320 --> 00:02:30,800
the user passes and the session proceeds, policy says verified.

46
00:02:30,800 --> 00:02:32,840
The evidence suggests otherwise.

47
00:02:32,840 --> 00:02:35,560
Repeated medium-risk events over days

48
00:02:35,560 --> 00:02:38,840
correlates strongly with later data staging,

49
00:02:38,840 --> 00:02:42,520
therefore escalate repetition, not just severity.

50
00:02:42,520 --> 00:02:46,960
To make this actionable, join what the user did with why it was allowed,

51
00:02:46,960 --> 00:02:50,800
combine enter sign-in logs with conditional access evaluation.

52
00:02:50,800 --> 00:02:53,920
The goal for each successful authentication

53
00:02:53,920 --> 00:02:59,680
record the policy path, block MFA required session controls applied

54
00:02:59,680 --> 00:03:02,120
and tie it to the risk context.

55
00:03:02,120 --> 00:03:05,040
When a user gets through on require MFA,

56
00:03:05,040 --> 00:03:08,200
three times from unfamiliar properties in a week,

57
00:03:08,200 --> 00:03:11,760
that's an investigation, not business as usual.

58
00:03:11,760 --> 00:03:13,920
Think of it like a bouncer with a checklist

59
00:03:13,920 --> 00:03:16,360
versus a detective with a case file.

60
00:03:16,360 --> 00:03:18,600
The bouncer sees an ID and lets them in.

61
00:03:18,600 --> 00:03:21,080
The detective builds a narrative across nights,

62
00:03:21,080 --> 00:03:24,120
noticing the same face with different stories.

63
00:03:24,120 --> 00:03:26,880
Your logs must act like the detective.

64
00:03:26,880 --> 00:03:29,280
Specifics that hold up in forensics,

65
00:03:29,280 --> 00:03:35,560
user ID, app ID, IP, device ID, and session ID equivalents.

66
00:03:35,560 --> 00:03:39,000
If session ID is missing, derive a session key from user ID

67
00:03:39,000 --> 00:03:41,680
plus app ID plus a 30-minute window.

68
00:03:41,680 --> 00:03:44,640
Risk detail and risk level at the event time.

69
00:03:44,640 --> 00:03:46,320
Don't infer later.

70
00:03:46,320 --> 00:03:48,960
Conditional access policy outcome.

71
00:03:48,960 --> 00:03:52,000
Capture which policy tipped the decision.

72
00:03:52,000 --> 00:03:55,320
Upon closer examination, repeated medium risk

73
00:03:55,320 --> 00:03:58,840
with changing IP ranges is more predictive

74
00:03:58,840 --> 00:04:00,960
than a single high-risk spike.

75
00:04:00,960 --> 00:04:03,520
The counter-intuitive part is that automated blocks

76
00:04:03,520 --> 00:04:05,760
on high-risk are common.

77
00:04:05,760 --> 00:04:09,760
The slow drip of medium becomes the real lead.

78
00:04:09,760 --> 00:04:12,880
Escalate by count and diversity.

79
00:04:12,880 --> 00:04:17,440
Three medium risk sign-ins from three ASNs in seven days

80
00:04:17,440 --> 00:04:19,360
triggers a case.

81
00:04:19,360 --> 00:04:21,880
Microstory from a typical tenant.

82
00:04:21,880 --> 00:04:24,040
An account with no travel history

83
00:04:24,040 --> 00:04:31,560
shows medium risk sign-ins at 0214 0352 and 0510 UTC.

84
00:04:31,560 --> 00:04:35,240
Each require MFA all passed.

85
00:04:35,240 --> 00:04:38,000
The next morning SharePoint shows a new sink client

86
00:04:38,000 --> 00:04:38,920
registration.

87
00:04:38,920 --> 00:04:40,240
No alert fired.

88
00:04:40,240 --> 00:04:41,920
The evidence chain started here.

89
00:04:41,920 --> 00:04:44,440
Identity friction, then foothold.

90
00:04:44,440 --> 00:04:46,760
How to make it stick operationally.

91
00:04:46,760 --> 00:04:51,520
Alert when risky sign-ins count and per user in seven days

92
00:04:51,520 --> 00:04:53,920
with distinct client IP ranges.

93
00:04:53,920 --> 00:04:56,000
Alert when a workload identity suddenly

94
00:04:56,000 --> 00:05:00,400
authenticates from public IP space or gains API permissions.

95
00:05:00,400 --> 00:05:01,960
It never used.

96
00:05:01,960 --> 00:05:03,040
Quarantine logic.

97
00:05:03,040 --> 00:05:05,720
If risk, jishy, high and token anomaly

98
00:05:05,720 --> 00:05:09,320
present, force sign-out and require password reset.

99
00:05:09,320 --> 00:05:12,640
If repeated medium risk aligns with new device registration,

100
00:05:12,640 --> 00:05:14,760
flag for human review.

101
00:05:14,760 --> 00:05:17,880
Retention realities demand discipline.

102
00:05:17,880 --> 00:05:22,520
Export risky sign-ins weekly to preserve beyond 30 days

103
00:05:22,520 --> 00:05:26,800
and store risk detections for at least 180 days in your CM.

104
00:05:26,800 --> 00:05:28,600
The lesson is simple.

105
00:05:28,600 --> 00:05:31,080
If you can't replay the first 12 hours,

106
00:05:31,080 --> 00:05:33,840
you can't prove intent or sequence.

107
00:05:33,840 --> 00:05:35,320
Here's what most people miss.

108
00:05:35,320 --> 00:05:37,760
Identity's authenticate first.

109
00:05:37,760 --> 00:05:41,120
Lateral movement starts after the door opens.

110
00:05:41,120 --> 00:05:44,240
The sign in narrative is the prologue, not the story.

111
00:05:44,240 --> 00:05:48,360
With the verify or verify, the next step is to trace movement.

112
00:05:48,360 --> 00:05:51,760
The unified ledger will show where the access went,

113
00:05:51,760 --> 00:05:55,560
how privileges shifted, and when the data began to pool

114
00:05:55,560 --> 00:05:58,720
the unified audit log trace lateral movement

115
00:05:58,720 --> 00:06:00,160
across workloads.

116
00:06:00,160 --> 00:06:01,520
The door opened.

117
00:06:01,520 --> 00:06:03,560
Now the movement begins.

118
00:06:03,560 --> 00:06:05,880
The unified audit log is the ledger.

119
00:06:05,880 --> 00:06:09,160
One place where exchange, share point, one drive,

120
00:06:09,160 --> 00:06:12,720
teams, and admin actions write their traces.

121
00:06:12,720 --> 00:06:15,160
In this environment, nothing is accidental.

122
00:06:15,160 --> 00:06:17,680
Every escalation, every permission tweak,

123
00:06:17,680 --> 00:06:21,480
every quiet mailbox peak leaves residue here.

124
00:06:21,480 --> 00:06:23,680
If Entra told us who got in and why,

125
00:06:23,680 --> 00:06:27,000
the UAL tells us where they went and what changed.

126
00:06:27,000 --> 00:06:28,920
Why this matters is simple.

127
00:06:28,920 --> 00:06:33,400
Lateral movement in M365 is cross-service by design.

128
00:06:33,400 --> 00:06:35,320
Attackers don't stay in one workload.

129
00:06:35,320 --> 00:06:36,240
They pivot.

130
00:06:36,240 --> 00:06:37,800
They add a forwarding rule.

131
00:06:37,800 --> 00:06:39,920
They grant a share point group edit rights.

132
00:06:39,920 --> 00:06:43,280
They enable a new sync client and they generate sharing links

133
00:06:43,280 --> 00:06:45,840
that bypass normal access paths.

134
00:06:45,840 --> 00:06:48,200
If you only watch one pane, you miss the sequence.

135
00:06:48,200 --> 00:06:49,840
The UAL stitches it.

136
00:06:49,840 --> 00:06:51,640
Here's what most people miss.

137
00:06:51,640 --> 00:06:55,520
Critical events cluster before ex-filtration.

138
00:06:55,520 --> 00:06:59,280
Privilege changes, mailbox access by non-owners,

139
00:06:59,280 --> 00:07:02,360
and share point site permission edits in a narrow window

140
00:07:02,360 --> 00:07:03,720
are the tell.

141
00:07:03,720 --> 00:07:06,600
A mail forwarding rule to an external domain

142
00:07:06,600 --> 00:07:08,480
isn't just a mail event.

143
00:07:08,480 --> 00:07:11,040
It's an early warning that someone wants data

144
00:07:11,040 --> 00:07:13,080
to leave the tenant reliably.

145
00:07:13,080 --> 00:07:16,040
Pay that with a sudden burst of share point file

146
00:07:16,040 --> 00:07:20,600
downloaded and file access events and you have staging.

147
00:07:20,600 --> 00:07:22,680
OK, so basically you need three lenses,

148
00:07:22,680 --> 00:07:25,280
identity, privilege, and data movement.

149
00:07:25,280 --> 00:07:27,560
The identity lens keeps user-aid,

150
00:07:27,560 --> 00:07:29,680
app-aid, and client IP consistent.

151
00:07:29,680 --> 00:07:32,520
The privilege lens watches for AdMailbox permission,

152
00:07:32,520 --> 00:07:36,720
set mailbox, ad-unified group links, and role assignments.

153
00:07:36,720 --> 00:07:40,680
The data lens tracks file downloaded, file sync added,

154
00:07:40,680 --> 00:07:43,760
sharing link created, and access requests.

155
00:07:43,760 --> 00:07:46,920
The simple version is when privilege and data lenses

156
00:07:46,920 --> 00:07:51,280
spike together, that's not collaboration, it's preparation.

157
00:07:51,280 --> 00:07:55,040
The evidence suggests data staging has distinct signals.

158
00:07:55,040 --> 00:07:57,640
Mass downloads rarely look like a single endpoint

159
00:07:57,640 --> 00:07:58,920
pulling one folder.

160
00:07:58,920 --> 00:08:01,320
They arrive as parallel fetches from share point

161
00:08:01,320 --> 00:08:05,120
in one drive plus the quiet enabling of sync on a new device.

162
00:08:05,120 --> 00:08:08,360
Unusual creation of anonymous or company-wide sharing

163
00:08:08,360 --> 00:08:11,560
links appears when direct access would be noisy.

164
00:08:11,560 --> 00:08:14,760
And in exchange, rules that auto-forward, redirect,

165
00:08:14,760 --> 00:08:18,480
or BCC outbound mail surface just before the cutover

166
00:08:18,480 --> 00:08:20,720
to trace the artifact's session eyes.

167
00:08:20,720 --> 00:08:23,600
UL doesn't hand you a session ID, so build one.

168
00:08:23,600 --> 00:08:28,240
User ID plus client IP plus app ID within a 30, 45-minute window

169
00:08:28,240 --> 00:08:29,800
is a workable surrogate.

170
00:08:29,800 --> 00:08:34,560
Join adjacent events to build a path, permission change,

171
00:08:34,560 --> 00:08:41,080
access burst, sharing link creation, external forwarding.

172
00:08:41,080 --> 00:08:43,480
Did duplicate repetitive low-value noise

173
00:08:43,480 --> 00:08:47,120
like repeated heartbeat actions and keep the high entropy

174
00:08:47,120 --> 00:08:48,000
changes?

175
00:08:48,000 --> 00:08:49,920
Here's the counter-intuitive part.

176
00:08:49,920 --> 00:08:53,680
Mass download by Countalone is a weak detector.

177
00:08:53,680 --> 00:08:55,640
People sync libraries.

178
00:08:55,640 --> 00:08:58,200
Instead, detect deltas.

179
00:08:58,200 --> 00:09:01,240
A user who normally reads 20 files per day suddenly

180
00:09:01,240 --> 00:09:05,480
touches 800 unique items across two sites in 30 minutes.

181
00:09:05,480 --> 00:09:08,640
And within that same window, a new sync relationship

182
00:09:08,640 --> 00:09:09,960
is established.

183
00:09:09,960 --> 00:09:11,760
In other words, change from baseline

184
00:09:11,760 --> 00:09:16,040
plus new capability is the indicator not raw volume.

185
00:09:16,040 --> 00:09:19,360
Kill chain reconstruction in the UAL works like this.

186
00:09:19,360 --> 00:09:23,200
Correlate set in-box rule or new in-box rule

187
00:09:23,200 --> 00:09:26,480
that forwards to an external domain with SharePoint file

188
00:09:26,480 --> 00:09:30,040
downloaded spikes within the same user session window.

189
00:09:30,040 --> 00:09:32,160
If you also see sharing link created

190
00:09:32,160 --> 00:09:36,920
with scope, anyone, or organization for sensitive libraries,

191
00:09:36,920 --> 00:09:40,360
you have both a primary and a fallback ex-fill route,

192
00:09:40,360 --> 00:09:43,640
add admin operations, add role group member,

193
00:09:43,640 --> 00:09:46,360
or site collection admin changes,

194
00:09:46,360 --> 00:09:48,960
and you can date the escalation that enabled it.

195
00:09:48,960 --> 00:09:52,120
Licensing and retention influence what you can prove.

196
00:09:52,120 --> 00:09:56,280
E3 gives you the core with many premium events now available,

197
00:09:56,280 --> 00:10:00,160
but purview audit premium adds high value events

198
00:10:00,160 --> 00:10:01,680
and longer look back.

199
00:10:01,680 --> 00:10:05,320
10-year retention exists, but only if you configure it

200
00:10:05,320 --> 00:10:07,840
and export or archive properly.

201
00:10:07,840 --> 00:10:12,840
Gaps happen in gesture delays, throttling API back-offs,

202
00:10:12,840 --> 00:10:14,480
build an export strategy.

203
00:10:14,480 --> 00:10:17,600
Stream UAL via the management activity API

204
00:10:17,600 --> 00:10:21,040
to a workspace you control, then normalize fields,

205
00:10:21,040 --> 00:10:23,840
so joins are consistent later.

206
00:10:23,840 --> 00:10:26,640
Practical mechanics matter.

207
00:10:26,640 --> 00:10:30,160
The management activity API delivers content blobs

208
00:10:30,160 --> 00:10:35,160
by record type, exchange, SharePoint, Azure AD, DLP.

209
00:10:35,160 --> 00:10:40,120
Normalize timestamps to UTC and index by user ID,

210
00:10:40,120 --> 00:10:45,120
client IP, source file name, object ID, and operation.

211
00:10:45,120 --> 00:10:49,160
For KQL and Sentinel, shape events into sessions

212
00:10:49,160 --> 00:10:51,120
and compute procession unique file count,

213
00:10:51,120 --> 00:10:54,240
unique site count, and privilege change flags.

214
00:10:54,240 --> 00:10:57,200
Dade up noisy operations by hashing on operation

215
00:10:57,200 --> 00:11:00,120
plus object ID plus five minute bucket.

216
00:11:00,120 --> 00:11:02,640
A micro story from a routine investigation,

217
00:11:02,640 --> 00:11:06,280
no malware alerts, but the UAL showed set mailbox

218
00:11:06,280 --> 00:11:09,360
to enable forwarding to customer mailbox outlook.

219
00:11:09,360 --> 00:11:12,720
Commit no 912, at 0918, sharing link

220
00:11:12,720 --> 00:11:17,240
created for a finance library with scope organization.

221
00:11:17,240 --> 00:11:21,520
At 0923, file sync added on a device never seen before.

222
00:11:21,520 --> 00:11:25,200
From 0924 to 0936100 unique,

223
00:11:25,200 --> 00:11:28,320
file downloaded events across finance and HR sites,

224
00:11:28,320 --> 00:11:29,800
no DLP triggers.

225
00:11:29,800 --> 00:11:32,000
The ledger told the story end to end.

226
00:11:32,000 --> 00:11:35,280
Alert logic should reflect chain patterns,

227
00:11:35,280 --> 00:11:37,760
not single events.

228
00:11:37,760 --> 00:11:41,280
If new inbox rule or set mailbox forwarding

229
00:11:41,280 --> 00:11:43,400
to an external domain occurs,

230
00:11:43,400 --> 00:11:47,640
and within 60 minutes, the same user ID shows SharePoint file

231
00:11:47,640 --> 00:11:52,400
downloaded rate above 95th percentile, raise high severity.

232
00:11:52,400 --> 00:11:55,800
If sharing link created scope widens on a sensitive site

233
00:11:55,800 --> 00:11:59,000
and a new sync relationship appears within 30 minutes,

234
00:11:59,000 --> 00:12:03,080
escalate to investigation even without high file counts.

235
00:12:03,080 --> 00:12:05,320
If ads, buzzer, or role assignments,

236
00:12:05,320 --> 00:12:08,520
expand site admin rights followed by access searches,

237
00:12:08,520 --> 00:12:09,760
trigger immediate review.

238
00:12:09,760 --> 00:12:12,520
For defensibility and scale, build suppression windows

239
00:12:12,520 --> 00:12:15,280
so you don't page on legitimate migrations.

240
00:12:15,280 --> 00:12:17,840
Take sanctioned jobs by service principal EED

241
00:12:17,840 --> 00:12:20,520
or by an allow list of admin actors,

242
00:12:20,520 --> 00:12:24,080
and require change tickets to carry a correlation tag

243
00:12:24,080 --> 00:12:27,000
in the audit's additional details field.

244
00:12:27,000 --> 00:12:30,280
If absent, treat spikes as suspicious.

245
00:12:30,280 --> 00:12:34,120
Retention and licensing aside, the key is correlation.

246
00:12:34,120 --> 00:12:38,920
The UAL is the cross workload ledger, use it to prove the path.

247
00:12:38,920 --> 00:12:40,640
When evidence is coherent,

248
00:12:40,640 --> 00:12:44,960
privileges expanded, access spiked, egress channels primed,

249
00:12:44,960 --> 00:12:47,600
you can move from suspicion to fact.

250
00:12:47,600 --> 00:12:50,000
And when the ledger goes quiet right before a spike,

251
00:12:50,000 --> 00:12:53,480
that silence is evidence too, often someone dim the lights.

252
00:12:53,480 --> 00:12:57,800
That's where purview policy tampering becomes the next pivot.

253
00:12:57,800 --> 00:13:02,560
Purview retention and policy tampering, when the lights go out,

254
00:13:02,560 --> 00:13:05,920
the ledger shows movement, then the trace thins.

255
00:13:05,920 --> 00:13:08,040
When exfiltration is imminent,

256
00:13:08,040 --> 00:13:10,120
attackers don't just move fast,

257
00:13:10,120 --> 00:13:11,800
they dim the room.

258
00:13:11,800 --> 00:13:14,320
Purview is where they reach for the switch.

259
00:13:14,320 --> 00:13:16,840
Retention policies, label publishing,

260
00:13:16,840 --> 00:13:20,480
and audit configuration edits are the quiet controls

261
00:13:20,480 --> 00:13:24,280
that decide whether evidence survives long enough to matter.

262
00:13:24,280 --> 00:13:27,840
If entra proves entry, and the UAL shows motion,

263
00:13:27,840 --> 00:13:31,600
purview changes explain why the record suddenly goes vague.

264
00:13:31,600 --> 00:13:33,720
Why this matters is simple.

265
00:13:33,720 --> 00:13:36,840
Disabling or weakening retention is the classic cover

266
00:13:36,840 --> 00:13:38,600
your tracks move.

267
00:13:38,600 --> 00:13:42,920
Zero trust assumes breach, but defensibility assumes immutable evidence.

268
00:13:42,920 --> 00:13:46,320
When retention shifts to retain none,

269
00:13:46,320 --> 00:13:50,960
when label policies stop applying to the sensitive sites under pressure,

270
00:13:50,960 --> 00:13:54,480
or when audit settings toggle the storyline breaks.

271
00:13:54,480 --> 00:13:58,560
In a forensic case, broken timelines aren't a nuisance, they're the point.

272
00:13:58,560 --> 00:14:00,200
What to track is precise.

273
00:14:00,200 --> 00:14:03,000
Three families of edits are high value.

274
00:14:03,000 --> 00:14:05,880
Retention policy changes, creation, scope edits,

275
00:14:05,880 --> 00:14:08,880
mode switches, retain, retain none.

276
00:14:08,880 --> 00:14:10,280
Deletion.

277
00:14:10,280 --> 00:14:14,880
Audit configuration changes, starting or stopping audit recording,

278
00:14:14,880 --> 00:14:17,360
audit log retention window changes,

279
00:14:17,360 --> 00:14:20,040
export connector adjustments.

280
00:14:20,040 --> 00:14:24,920
Label and policy publishing, sensitivity label modifications,

281
00:14:24,920 --> 00:14:28,720
auto labeling rules, changes to which sharepoint sites

282
00:14:28,720 --> 00:14:30,760
or exchange locations are in scope.

283
00:14:30,760 --> 00:14:33,360
Okay, so basically treat every policy added

284
00:14:33,360 --> 00:14:37,240
as a potential precursor or a complex to data movement.

285
00:14:37,240 --> 00:14:43,680
The evidence suggests that edits cluster before or within hours of access spikes.

286
00:14:43,680 --> 00:14:47,840
The simple version is privilege expands data flows,

287
00:14:47,840 --> 00:14:51,840
then someone trims retention to erase the trail.

288
00:14:51,840 --> 00:14:56,320
To trace the artifacts, align three timestamps in one view,

289
00:14:56,320 --> 00:15:00,120
who changed what policy, actor, object.

290
00:15:00,120 --> 00:15:05,200
The exact scope after change included locations, excluded sites, mode,

291
00:15:05,200 --> 00:15:09,920
and the adjacent UAL burst from the same department site or owner.

292
00:15:09,920 --> 00:15:13,400
Upon closer examination, alignment beats coincidence.

293
00:15:13,400 --> 00:15:19,680
When a finance retention policy loses the HR site two hours before that site records a mess download,

294
00:15:19,680 --> 00:15:22,360
it's not hygiene, it's staging.

295
00:15:22,360 --> 00:15:25,840
Alert patterns should be narrow and loud.

296
00:15:25,840 --> 00:15:31,080
Any retention policy set to do not retain on locations previously covered,

297
00:15:31,080 --> 00:15:33,760
raise high severity immediately.

298
00:15:33,760 --> 00:15:39,520
Disabling purview audit recording or reducing audit retention within seven days of privilege escalations,

299
00:15:39,520 --> 00:15:41,080
escalate to incident.

300
00:15:41,080 --> 00:15:47,840
Sensitivity label policy narrowing scope on sensitive sites within 24 hours of sharing link,

301
00:15:47,840 --> 00:15:50,320
created spikes, investigate,

302
00:15:50,320 --> 00:15:56,200
the counter-intuitive part, policy tampering often arrives via legitimate channels.

303
00:15:56,200 --> 00:16:00,560
A global admin toggle settings, the change looks like maintenance.

304
00:16:00,560 --> 00:16:07,240
Therefore, require dual control on retention edits and log the request identifier inside additional details,

305
00:16:07,240 --> 00:16:09,120
no change ticket ID, no change.

306
00:16:09,120 --> 00:16:11,560
In this environment, nothing is accidental.

307
00:16:11,560 --> 00:16:16,800
Operationally, build a policy change ledger with join keys.

308
00:16:16,800 --> 00:16:20,040
You can prove later, normalize actor.

309
00:16:20,040 --> 00:16:24,520
UPN, correlation ID and client IP.

310
00:16:24,520 --> 00:16:33,800
Capture before and after snapshots of policy, Jason, don't store diffs only.

311
00:16:33,800 --> 00:16:36,200
Stamp a change.

312
00:16:36,200 --> 00:16:43,440
Intent field, maintenance, migration, incident, emergency, with a mandatory value.

313
00:16:43,440 --> 00:16:52,680
A micro story from a routine case, at 11.04, an admin reduced audit retention from 180 to 30 days.

314
00:16:52,680 --> 00:16:57,920
At 11.18, sensitivity label lost auto-apply on three high value sites.

315
00:16:57,920 --> 00:17:03,080
By 12.02, file sync added and file downloaded search to cross those sites.

316
00:17:03,080 --> 00:17:07,000
No DLP alarms, no errors, just less light.

317
00:17:07,000 --> 00:17:11,400
The policy edits weren't noise, they were the setup.

318
00:17:11,400 --> 00:17:20,120
Compliance posture depends on immutable logs, purview audit, premium, helps with richer events and longer retention,

319
00:17:20,120 --> 00:17:22,840
but only if configured.

320
00:17:22,840 --> 00:17:31,040
Export policy change events to a controlled store with right-one semantics and mirror them to a secondary region for resilience.

321
00:17:31,040 --> 00:17:33,160
Assign accountable owners.

322
00:17:33,160 --> 00:17:37,640
One team can propose, a second approves, a third observes.

323
00:17:37,640 --> 00:17:39,600
The lesson is clinical.

324
00:17:39,600 --> 00:17:44,320
If the light switch is in reach of the suspect, your evidence is negotiable.

325
00:17:44,320 --> 00:17:50,560
Still, when the room dims, one surface can glow brighter than expected, co-pilot's interactions.

326
00:17:50,560 --> 00:17:58,320
If data aggregation happens by AI, the footprints are different, summaries, source references, and cross-site touches.

327
00:17:58,320 --> 00:18:04,120
If those are logged, they'll outline what text made it into the prompt in which files fed the answer.

328
00:18:04,120 --> 00:18:08,280
If they aren't, we name the gap and compensate elsewhere.

329
00:18:08,280 --> 00:18:12,360
Co-pilot interaction logs, AI as an ex-fil multiplier.

330
00:18:12,360 --> 00:18:14,880
When the room dims, co-pilot can still see.

331
00:18:14,880 --> 00:18:16,160
That's why it matters.

332
00:18:16,160 --> 00:18:21,040
Co-pilot aggregates across SharePoint and OneDrive at conversational speed,

333
00:18:21,040 --> 00:18:26,720
summarizing, comparing, and extracting patterns, humans would need hours to compile.

334
00:18:26,720 --> 00:18:29,520
If it touches a file to answer a prompt, that's access.

335
00:18:29,520 --> 00:18:33,600
If that access isn't logged, your zero-trust narrative fractures.

336
00:18:33,600 --> 00:18:37,200
Post-August 2024, the audit surface improved.

337
00:18:37,200 --> 00:18:42,480
Co-pilot interaction events now reference which service hosted the content when the model fetched it

338
00:18:42,480 --> 00:18:46,240
and pointers to the underlying files used to construct the answer.

339
00:18:46,240 --> 00:18:50,360
Before that fix, some interactions left little or no trace.

340
00:18:50,360 --> 00:18:54,880
Organizations must treat that period as a blind spot in their evidence chain.

341
00:18:54,880 --> 00:19:00,120
The timelines revealed that ex-fil by summary looked like ordinary collaboration

342
00:19:00,120 --> 00:19:03,040
unless you could tie the response back to file reads.

343
00:19:03,040 --> 00:19:10,480
Okay, so basically treat co-pilot like a high-speed research assistant whose bibliography is your evidence.

344
00:19:10,480 --> 00:19:17,000
The co-pilot schema in the management activity API links an interaction to content sources,

345
00:19:17,000 --> 00:19:22,640
SharePoint sites, OneDrive paths, message threads, and captures the user,

346
00:19:22,640 --> 00:19:28,680
the app surface, 8G, Word teams, M365, and the interaction time.

347
00:19:28,680 --> 00:19:35,400
The simple version is, if co-pilot's answer required reading five libraries across finance and HR,

348
00:19:35,400 --> 00:19:41,480
those reads are auditable and should align with UAL file access and file downloaded events.

349
00:19:41,480 --> 00:19:43,080
Here's what most people miss.

350
00:19:43,080 --> 00:19:45,920
Prompts can be broad and still look benign.

351
00:19:45,920 --> 00:19:52,240
Summary's last quarter's vendor disputes across finance and HR invites cross-site traversal.

352
00:19:52,240 --> 00:20:01,000
If the same user then exports the summary or copies the output into an external channel, co-pilot became a multiplier.

353
00:20:01,000 --> 00:20:04,400
The evidence suggests three high-risk behaviors.

354
00:20:04,400 --> 00:20:11,760
Unusually broad prompts that span business units, cross-site summaries followed by concentrated file touches,

355
00:20:11,760 --> 00:20:16,160
and export like actions immediately after an answer appears.

356
00:20:16,160 --> 00:20:18,880
To trace the artifacts, sessionize around the interaction.

357
00:20:18,880 --> 00:20:23,000
Build a 15 30-minute window keyed on user-eyed, app-ide, and client IP.

358
00:20:23,000 --> 00:20:33,840
Within that window, join co-pilot interaction events to UAL operations, file access, file previewed, and file downloaded.

359
00:20:33,840 --> 00:20:42,000
You're looking for a pattern, prompt, surge of reads across multiple sensitive sites, downstream action,

360
00:20:42,000 --> 00:20:45,520
export, email forwarding, external share.

361
00:20:45,520 --> 00:20:51,760
Upon closer examination, the burst of reads often includes files the user has never accessed before.

362
00:20:51,760 --> 00:20:53,360
Novelty is a strong signal.

363
00:20:53,360 --> 00:20:55,440
Mitigation's rely on scope and friction.

364
00:20:55,440 --> 00:20:58,200
Least privilege data access isn't optional.

365
00:20:58,200 --> 00:21:00,840
Co-pilot only sees what the user sees.

366
00:21:00,840 --> 00:21:06,920
Harden your information architecture, sensitivity labels that actually gate access.

367
00:21:06,920 --> 00:21:08,760
Not just watermark.

368
00:21:08,760 --> 00:21:16,040
Use conditional access to restrict AI apps from risky sign-in contexts or unmanage devices.

369
00:21:16,040 --> 00:21:19,000
Align DLP with AI outputs.

370
00:21:19,000 --> 00:21:25,200
Treat co-pilot responses as content that can trigger policies, not just the source files.

371
00:21:25,200 --> 00:21:28,120
Alert logic should be compound, not atomic.

372
00:21:28,120 --> 00:21:34,960
If a co-pilot interaction references more than n distinct sites classified as sensitive within 20 minutes,

373
00:21:34,960 --> 00:21:41,480
and the same session shows UAL reads from those sites, raise medium severity.

374
00:21:41,480 --> 00:21:47,800
If a co-pilot interaction is followed within 10 minutes by sharing link created with scope organization

375
00:21:47,800 --> 00:21:51,680
or anyone for any referenced file escalate to high.

376
00:21:51,680 --> 00:21:58,360
If a user with repeated medium risk sign-ins initiates co-pilot interactions touching files,

377
00:21:58,360 --> 00:22:00,560
they've never accessed in 90 days.

378
00:22:00,560 --> 00:22:01,880
Open a case.

379
00:22:01,880 --> 00:22:07,920
The counter-intuitive part co-pilot itself isn't the leak, the export is.

380
00:22:07,920 --> 00:22:15,920
Monitor the egress channels tied to AI outputs, paced into external chats, downloads of generated documents,

381
00:22:15,920 --> 00:22:23,000
e-mail to external domains, the linkages the proof, co-pilot interaction D, referenced files,

382
00:22:23,000 --> 00:22:25,760
new artifact created or sent.

383
00:22:25,760 --> 00:22:31,680
In other words, the summary was the staging, the send was the theft, operational practices matter,

384
00:22:31,680 --> 00:22:37,320
tag-sensitive repositories clearly so co-pilot source references map to risk tiers,

385
00:22:37,320 --> 00:22:47,280
built KQL that aggregates co-pilot, interaction by user-eyed and counts distinct site UAL's referenced procession,

386
00:22:47,280 --> 00:22:51,480
joins to UAL to count unique object-eyed reads in that session.

387
00:22:51,480 --> 00:22:57,320
Flag's novelty rate, percentage of files first seen for that user in 180 days.

388
00:22:57,320 --> 00:23:06,760
A micro-story from a quiet case, 0841, co-pilot interaction in teams, broad prompt spanning finance and HR disputes,

389
00:23:06,760 --> 00:23:10,680
0842, 0846, 420.

390
00:23:10,680 --> 00:23:17,760
File accessed across two finance libraries and one HR site, user had no prior history with 90% of them.

391
00:23:17,760 --> 00:23:22,080
0847, a new word doc created with extracted bullet points,

392
00:23:22,080 --> 00:23:31,640
0849, sharing link created scope organization on that doc, 0852 email sent externally with the doc attached,

393
00:23:31,640 --> 00:23:39,200
no DLP hit on the source files, the generated file slipped past profile-based rules.

394
00:23:39,200 --> 00:23:47,480
The interaction log was the hinge, without it, the narrative looks like unrelated reads and a normal email.

395
00:23:47,480 --> 00:23:53,440
In the end, co-pilot is an amplifier, with clean logs it's a transparent amplifier, without them it's a silent one,

396
00:23:53,440 --> 00:23:59,920
tie the interaction to the reads and the egress and the multiplier becomes measurable and stoppable.

397
00:23:59,920 --> 00:24:05,920
The case, reconstructing a quiet data exfiltration, it started with an ordinary identity,

398
00:24:05,920 --> 00:24:11,600
one mailbox, one workstation, a predictable schedule, the anomaly arrived quietly,

399
00:24:11,600 --> 00:24:23,680
three medium-risk sign-ins spread over a week, each require MFA, each successful, no device, non-compliance, no malware, just friction, then passage.

400
00:24:23,680 --> 00:24:27,000
The evidence suggests the door opened and stated jar.

401
00:24:27,000 --> 00:24:35,800
Day 1, 0214 UTC, Entra flags unfamiliar sign-in properties from an ASN the user has never touched,

402
00:24:35,800 --> 00:24:40,280
conditional access requires MFA success.

403
00:24:40,280 --> 00:24:47,720
Nothing else, day 3, 0352, different IP range, same city profile, same medium risk,

404
00:24:47,720 --> 00:24:55,320
another successful MFA, day 6, 0510, a third ASN still medium-risk still allowed, the pattern matters,

405
00:24:55,320 --> 00:25:01,560
repetition with variation, new networks, same user, consistent allow.

406
00:25:01,560 --> 00:25:07,600
Upon closer examination, that sequence is how an attacker builds confidence,

407
00:25:07,600 --> 00:25:10,880
that enforcement can be satisfied on demand.

408
00:25:10,880 --> 00:25:12,360
The ledger picks up the trail.

409
00:25:12,360 --> 00:25:18,840
At 0742 on day 6, the UAL Records Device Sync client registration for one drive,

410
00:25:18,840 --> 00:25:23,160
file sync added on a machine never seen in the tenant for this user.

411
00:25:23,160 --> 00:25:29,600
Six minutes later, sharing link created across two SharePoint sites, Finance and HR,

412
00:25:29,600 --> 00:25:32,200
Scopes widened to organization.

413
00:25:32,200 --> 00:25:40,720
Within the next 12 minutes, file downloaded and file access spike, 1,100 unique items,

414
00:25:40,720 --> 00:25:47,200
parallelized across libraries with access patterns that don't resemble normal search or browsing.

415
00:25:47,200 --> 00:25:52,200
Still no DLP trigger, the evidence suggests staging, not collaboration.

416
00:25:52,200 --> 00:25:53,960
Here's what most people miss.

417
00:25:53,960 --> 00:25:57,080
Privilege adjustments hid in plain sight.

418
00:25:57,080 --> 00:26:05,280
At 0758, Add Spuser adds the user to a site group with edit rights on the finance site.

419
00:26:05,280 --> 00:26:11,320
The actor appears to be a delegated admin account, with a legitimate service principle history,

420
00:26:11,320 --> 00:26:14,720
but the timing doesn't align with any approved change ticket.

421
00:26:14,720 --> 00:26:19,240
The counter intuitive part is that the privilege change wasn't maximal, it was just enough

422
00:26:19,240 --> 00:26:22,160
to remove friction from sync and link creation.

423
00:26:22,160 --> 00:26:23,840
Least change, greatest effect.

424
00:26:23,840 --> 00:26:26,520
Email provides an aggressive contour.

425
00:26:26,520 --> 00:26:32,200
At 0803, Set Inbox Rule enables forwarding of all mail with report or statement in the subject

426
00:26:32,200 --> 00:26:37,880
to a consumer domain, it scoped, not global, subtle enough to evade course alerts.

427
00:26:37,880 --> 00:26:43,160
A low volume trickle begins, but it's not the main channel, it's a contingency.

428
00:26:43,160 --> 00:26:45,440
Perview shifts explain the dimming.

429
00:26:45,440 --> 00:26:51,000
At 0921, a retention policy scoped to Finance reduces coverage.

430
00:26:51,000 --> 00:26:55,160
One HR site is excluded temporarily for migration.

431
00:26:55,160 --> 00:26:58,880
The additional details field lacks a change ticket ID.

432
00:26:58,880 --> 00:27:03,400
19 minutes later, the Finance policy toggles from retained to retained none for temporary

433
00:27:03,400 --> 00:27:06,800
cleanup applied to a subset of libraries.

434
00:27:06,800 --> 00:27:12,040
No audit recording change yet, just the survivability of content altered.

435
00:27:12,040 --> 00:27:15,040
The timelines reveal the correlation.

436
00:27:15,040 --> 00:27:18,600
Policy reduction precedes the heaviest access bursts.

437
00:27:18,600 --> 00:27:27,320
O-pilot ties the aggregation. At 0949, a co-pilot interaction in teams, a broad prompt.

438
00:27:27,320 --> 00:27:32,880
Summarize vendor disputes and payout variances across Finance and HR for Q2.

439
00:27:32,880 --> 00:27:38,240
From 0949 to 0955, the interaction references three sensitive sites.

440
00:27:38,240 --> 00:27:40,200
UL mirrors the surge.

441
00:27:40,200 --> 00:27:43,840
File access to cross libraries where the user has minimal history.

442
00:27:43,840 --> 00:27:49,320
At 0957, a new word document appears, extracted bullets and totals.

443
00:27:49,320 --> 00:27:52,920
A tenoc sharing link created scope organization on that dock.

444
00:27:52,920 --> 00:27:56,680
A 1003 in email to an external address carries the attachment.

445
00:27:56,680 --> 00:27:58,240
No DLP hit.

446
00:27:58,240 --> 00:28:02,720
The generated document didn't match the legacy policy fingerprint.

447
00:28:02,720 --> 00:28:06,080
The pivot that exposed data staging wasn't the file count.

448
00:28:06,080 --> 00:28:07,520
It was the pairing.

449
00:28:07,520 --> 00:28:12,520
New sync relationship plus widened sharing links within the same session window.

450
00:28:12,520 --> 00:28:18,200
Every time that duo appears alongside a novelty spike, files the user has never touched.

451
00:28:18,200 --> 00:28:20,960
It predicts ex-filtration within the hour.

452
00:28:20,960 --> 00:28:23,000
In this environment, nothing is accidental.

453
00:28:23,000 --> 00:28:26,040
The reconstructed timeline is clinical.

454
00:28:26,040 --> 00:28:32,200
Repeated medium-risk sign-ins from diverse ASNs allowed via MFA.

455
00:28:32,200 --> 00:28:37,320
New sync client registration followed by organization-scoped sharing links.

456
00:28:37,320 --> 00:28:43,920
And forwarding rule creation in exchange, narrow, persistent, secondary egress.

457
00:28:43,920 --> 00:28:48,040
Per view retention narrowing on involved sites.

458
00:28:48,040 --> 00:28:50,040
Change ticket absent.

459
00:28:50,040 --> 00:28:51,880
Language temporary.

460
00:28:51,880 --> 00:28:55,200
Copilot interaction spanning finance and HR.

461
00:28:55,200 --> 00:28:57,880
Source references to sensitive libraries.

462
00:28:57,880 --> 00:28:59,560
Burst of novel reads.

463
00:28:59,560 --> 00:29:01,560
Generated documents shared internally.

464
00:29:01,560 --> 00:29:03,080
Then sent externally.

465
00:29:03,080 --> 00:29:05,200
No DLP interception.

466
00:29:05,200 --> 00:29:06,920
Forensic conclusion.

467
00:29:06,920 --> 00:29:08,320
Quality risks at the stage.

468
00:29:08,320 --> 00:29:11,120
The UL recorded staging behaviors.

469
00:29:11,120 --> 00:29:14,640
Per view edits attempted to weaken evidence durability.

470
00:29:14,640 --> 00:29:17,280
Copilot accelerated aggregation.

471
00:29:17,280 --> 00:29:19,520
Exchange rules provided continuity.

472
00:29:19,520 --> 00:29:23,360
Together they form a coherent ex-filtration pattern.

473
00:29:23,360 --> 00:29:24,760
Low noise.

474
00:29:24,760 --> 00:29:26,960
Policy compliant on paper.

475
00:29:26,960 --> 00:29:29,480
Detectable only when the artifacts are correlated.

476
00:29:29,480 --> 00:29:31,320
The lesson extends to control.

477
00:29:31,320 --> 00:29:36,360
The detection that would have interrupted this case requires compound logic.

478
00:29:36,360 --> 00:29:39,760
Interacted medium risk sign-ins within 7 days.

479
00:29:39,760 --> 00:29:42,560
New file sync added for the user.

480
00:29:42,560 --> 00:29:47,280
Sharing link created with widened scope on sensitive sites.

481
00:29:47,280 --> 00:29:49,560
Novelty rate above threshold.

482
00:29:49,560 --> 00:29:51,040
Optional copilot.

483
00:29:51,040 --> 00:29:54,120
Interaction touching cross-domain content.

484
00:29:54,120 --> 00:29:59,640
Any retention policy scope change on those sites inside a 2 hour window.

485
00:29:59,640 --> 00:30:01,080
Trigger a containment play.

486
00:30:01,080 --> 00:30:07,080
For sign-out, revoke refresh tokens, block sync app ID and lock sharing scope pending review.

487
00:30:07,080 --> 00:30:09,280
In the end the case isn't unusual.

488
00:30:09,280 --> 00:30:15,040
Its ordinary movement identity, privilege, data, egress, masquerading as business.

489
00:30:15,040 --> 00:30:16,160
The artifacts are there.

490
00:30:16,160 --> 00:30:20,720
The question is whether you correlate them before the silence returns.

491
00:30:20,720 --> 00:30:23,400
Operationalizing zero trust evidence.

492
00:30:23,400 --> 00:30:27,200
Queries, alerts, dashboards, automation.

493
00:30:27,200 --> 00:30:39,440
Enable the data, codify the detections and wire response parts that a human can trust.

494
00:30:39,440 --> 00:30:40,960
Enablement comes first.

495
00:30:40,960 --> 00:30:44,920
Verify these are on and flowing to a workspace you control.

496
00:30:44,920 --> 00:30:47,000
Entra, ID, protection.

497
00:30:47,000 --> 00:30:48,000
Risk telemetry.

498
00:30:48,000 --> 00:30:49,000
Risky sign-ins.

499
00:30:49,000 --> 00:30:50,000
Risk detections.

500
00:30:50,000 --> 00:30:51,000
Workload.

501
00:30:51,000 --> 00:30:52,000
Identity.

502
00:30:52,000 --> 00:30:53,000
Enomalies.

503
00:30:53,000 --> 00:30:54,000
Per-view audit.

504
00:30:54,000 --> 00:30:55,800
Unified audit.

505
00:30:55,800 --> 00:30:58,800
Work with premium events where licensed.

506
00:30:58,800 --> 00:31:02,280
Set retention beyond investigation horizons.

507
00:31:02,280 --> 00:31:07,560
Copilot interaction logs via the management activity API copilot schema.

508
00:31:07,560 --> 00:31:14,080
Exchange mailbox auditing and SharePoint OneDrive workloads included in audit scope.

509
00:31:14,080 --> 00:31:16,520
Stream all of it to a consistent store.

510
00:31:16,520 --> 00:31:20,360
Microsoft Sentinel or log analytics for KQL.

511
00:31:20,360 --> 00:31:26,160
If you rely only on portal views, your 30 and 90 day windows will erase context mid-case.

512
00:31:26,160 --> 00:31:29,520
KQL building blocks start with sessionization.

513
00:31:29,520 --> 00:31:32,360
The ledger doesn't hand you a session key.

514
00:31:32,360 --> 00:31:34,080
Derive one.

515
00:31:34,080 --> 00:31:40,000
Compute session key equals hash, user id plus app ID plus client IP plus BN, time generated

516
00:31:40,000 --> 00:31:41,800
30M.

517
00:31:41,800 --> 00:31:44,120
Maintain per session key aggregates.

518
00:31:44,120 --> 00:31:50,120
Unique files, unique sites, privilege change flag, sharing scope, widened, sync enabled

519
00:31:50,120 --> 00:31:52,120
flag, novelty rate.

520
00:31:52,120 --> 00:31:56,280
Mass access deltas are not raw counts, they're changed from baseline.

521
00:31:56,280 --> 00:32:02,920
Build a per user rolling baseline of unique files, touched per 30 minute bin and flag any

522
00:32:02,920 --> 00:32:06,560
bin P95 for that user and workload.

523
00:32:06,560 --> 00:32:08,120
Add a novelty rate.

524
00:32:08,120 --> 00:32:09,440
Percentage of objects.

525
00:32:09,440 --> 00:32:12,920
First seen by that user in 180 days.

526
00:32:12,920 --> 00:32:15,360
High count with high novelty is staging.

527
00:32:15,360 --> 00:32:18,840
High count with low novelty is often normal sync.

528
00:32:18,840 --> 00:32:24,320
Detection recipes must reflect the case pattern, not isolated spikes.

529
00:32:24,320 --> 00:32:28,840
Recipe one repeated medium risk sign-ins staging.

530
00:32:28,840 --> 00:32:29,840
Join identity.

531
00:32:29,840 --> 00:32:32,840
Info a summarize count e.a.

532
00:32:32,840 --> 00:32:35,280
De-count client IP.

533
00:32:35,280 --> 00:32:36,280
Make set.

534
00:32:36,280 --> 00:32:38,960
Risk detail by user id.

535
00:32:38,960 --> 00:32:42,480
BN, time generated 70.

536
00:32:42,480 --> 00:32:47,560
Risk level where risk level equals medium and count.

537
00:32:47,560 --> 00:32:51,040
A three and decount client IP.

538
00:32:51,040 --> 00:32:54,640
E three left join to any conditional access.

539
00:32:54,640 --> 00:32:55,640
Outcome.

540
00:32:55,640 --> 00:33:00,360
E E E MFA required successes.

541
00:33:00,360 --> 00:33:04,320
Output user id when criteria hold.

542
00:33:04,320 --> 00:33:11,920
Recipe two new sync plus sharing scope widened plus novelty spike.

543
00:33:11,920 --> 00:33:15,360
Identify file sync added or device sync.

544
00:33:15,360 --> 00:33:19,760
Identify registration events per user within 60 minutes.

545
00:33:19,760 --> 00:33:22,200
Check for sharing link.

546
00:33:22,200 --> 00:33:26,200
Created where link scope in organization anonymous.

547
00:33:26,200 --> 00:33:31,600
In same session key, unique files, user P95 and novelty rate.

548
00:33:31,600 --> 00:33:36,440
Seven raise high severity if site sensitivity is high.

549
00:33:36,440 --> 00:33:41,040
Recipe three forwarding rule plus access burst.

550
00:33:41,040 --> 00:33:49,100
And set inbox rule, new inbox rule where forward two or redirect two external domains within

551
00:33:49,100 --> 00:33:54,800
60 minutes in same session key share point file downloaded.

552
00:33:54,800 --> 00:34:02,120
User P95 elevate if rule uses subject filters to evade volume based alerts.

553
00:34:02,120 --> 00:34:06,800
Recipe four, purview policy change proximity.

554
00:34:06,800 --> 00:34:14,280
Site retention policy edits where mode change to do not retain or excluded locations increased

555
00:34:14,280 --> 00:34:19,880
correlate to any access spike on affected locations within two hours.

556
00:34:19,880 --> 00:34:25,640
If additional details lacks change ticket ID mark as suspicious.

557
00:34:25,640 --> 00:34:32,560
Recipe five, co-pilot cross-site interaction plus egress for co-pilot interaction.

558
00:34:32,560 --> 00:34:37,440
And distinct site URL referenced in 20 minutes.

559
00:34:37,440 --> 00:34:43,720
If distinct sites threshold and novelty rate high, then check for downstream sharing link

560
00:34:43,720 --> 00:34:47,880
created or file expo RT within 10 minutes.

561
00:34:47,880 --> 00:34:52,320
Elevate if user has active risk sign in recipe hit in past 7 days.

562
00:34:52,320 --> 00:34:57,960
Turn recipes into alert rules with clear thresholds, suppression and escalation.

563
00:34:57,960 --> 00:34:59,880
Alert thresholds.

564
00:34:59,880 --> 00:35:01,520
Update medium risk.

565
00:35:01,520 --> 00:35:03,200
Three events.

566
00:35:03,200 --> 00:35:06,600
Seven days from 3 plus ASNs.

567
00:35:06,600 --> 00:35:09,960
Suppress for 48 hours after case open.

568
00:35:09,960 --> 00:35:13,240
Sync plus scope widen plus novelty.

569
00:35:13,240 --> 00:35:15,760
Any occurrence on sensitive sites.

570
00:35:15,760 --> 00:35:19,760
No suppression unless tagged change window.

571
00:35:19,760 --> 00:35:22,160
Forwarding rule plus burst.

572
00:35:22,160 --> 00:35:23,840
Any occurrence.

573
00:35:23,840 --> 00:35:26,200
Suppress for known migration tags.

574
00:35:26,200 --> 00:35:30,040
Per view.

575
00:35:30,040 --> 00:35:34,080
No suppression without dual approval ticket.

576
00:35:34,080 --> 00:35:36,560
Co-pilot cross-site plus egress.

577
00:35:36,560 --> 00:35:40,280
Two plus sensitive sites and downstream share export.

578
00:35:40,280 --> 00:35:44,040
Suppress per user for 12 hours post investigation note.

579
00:35:44,040 --> 00:35:46,920
Suppression windows prevent noise during sanctioned work.

580
00:35:46,920 --> 00:35:49,840
Tag allowed operations using service principle.

581
00:35:49,840 --> 00:35:52,800
It allow list for migration tooling.

582
00:35:52,800 --> 00:35:57,680
Local details change ticket ID from cab approved changes.

583
00:35:57,680 --> 00:36:03,320
Known admin uPN allow list for break glass with time-bounded exceptions.

584
00:36:03,320 --> 00:36:06,800
Escalation paths need human eyes at the right moment.

585
00:36:06,800 --> 00:36:07,800
Define tiers.

586
00:36:07,800 --> 00:36:10,560
Tier one identity friction patterns.

587
00:36:10,560 --> 00:36:11,560
Recipe one.

588
00:36:11,560 --> 00:36:12,560
Root two identity.

589
00:36:12,560 --> 00:36:13,560
SecOps.

590
00:36:13,560 --> 00:36:15,320
SLA for business hours.

591
00:36:15,320 --> 00:36:16,920
Tier two.

592
00:36:16,920 --> 00:36:18,320
Data staging.

593
00:36:18,320 --> 00:36:20,520
Recipe two three five.

594
00:36:20,520 --> 00:36:22,360
Root to data protection.

595
00:36:22,360 --> 00:36:24,360
SLA one hour.

596
00:36:24,360 --> 00:36:25,360
Tier.

597
00:36:25,360 --> 00:36:26,360
Per view tampering.

598
00:36:26,360 --> 00:36:27,360
Recipe four.

599
00:36:27,360 --> 00:36:29,360
Root to incident commander.

600
00:36:29,360 --> 00:36:32,600
SLA 15 minutes and auto containment.

601
00:36:32,600 --> 00:36:35,440
Dashboards are where patterns become obvious.

602
00:36:35,440 --> 00:36:41,120
Build three power bi tile sets sourced from your log analytics tables.

603
00:36:41,120 --> 00:36:43,280
Identity risk trend.

604
00:36:43,280 --> 00:36:47,640
Per user and per department counts of medium and high risk.

605
00:36:47,640 --> 00:36:56,160
Highlight users crossing the three and seven threshold.

606
00:36:56,160 --> 00:36:57,480
Staging hotspots.

607
00:36:57,480 --> 00:37:01,800
Map of sites with recent spikes in unique files and novelty rate.

608
00:37:01,800 --> 00:37:05,920
Overlaid with sharing scope widened and synkinabled flag counts.

609
00:37:05,920 --> 00:37:09,280
Include a filter for sensitivity labels.

610
00:37:09,280 --> 00:37:11,000
Policy change heat map.

611
00:37:11,000 --> 00:37:14,840
Calendar view of retention and label policy edits with impact score.

612
00:37:14,840 --> 00:37:20,760
Settings touched X sensitivity and correlation markers for adjacent access spikes.

613
00:37:20,760 --> 00:37:26,440
At a ledger view for investigations timeline strip per session key.

614
00:37:26,440 --> 00:37:31,800
Showing icons for privilege changes sync enablement sharing scope.

615
00:37:31,800 --> 00:37:36,080
Co-pilot interactions forwarding rules and export events.

616
00:37:36,080 --> 00:37:40,600
The analyst shouldn't reconstruct mentally let the timeline tell it.

617
00:37:40,600 --> 00:37:48,280
In Titans the loop use Sentinel playbooks logic apps for containment and notification for

618
00:37:48,280 --> 00:37:58,080
tier two and tier E auto execute revoke Azure AD user all refresh tokens invalidate sessions

619
00:37:58,080 --> 00:38:06,480
for targeted app IDs share point one drive disable new sync on the user via graph set external

620
00:38:06,480 --> 00:38:13,160
sharing on impacted sites to existing guests temporarily locked down sharing scope by calling

621
00:38:13,160 --> 00:38:19,040
SharePoint admin API to revert link scopes on affected sites quarantine generated docs

622
00:38:19,040 --> 00:38:24,800
by applying a hold incident sensitivity label via graph and moving to a secured library

623
00:38:24,800 --> 00:38:32,040
with a legal hold created ticket in your ITSM with the full artifact set user ID session

624
00:38:32,040 --> 00:38:40,240
key queries used affected sites policy diff and a preservation link use power automate for

625
00:38:40,240 --> 00:38:47,280
analyst assist when an alert fires auto compile a briefing last seven days of identity

626
00:38:47,280 --> 00:38:54,600
risk last 24 hours of ual for the user ID policy changes nearby and a list of novel files

627
00:38:54,600 --> 00:39:01,000
touched delivered to a team's incident channel if the analyst marks benign migration right

628
00:39:01,000 --> 00:39:07,080
back a tag into a reference list so future alerts suppress during that change window governance

629
00:39:07,080 --> 00:39:13,200
cement's credibility assigned log ownership identity telemetry owner ensures risky sign-ins

630
00:39:13,200 --> 00:39:19,400
and detections export weekly beyond native retention audit owner validates ual ingestion

631
00:39:19,400 --> 00:39:27,200
completeness and reconciles ingestion gaps daily policy owner enforces dual control on retention

632
00:39:27,200 --> 00:39:34,040
and maintains the change ticket ID mandate evidence custodian manages worm storage and secondary

633
00:39:34,040 --> 00:39:40,360
region mirroring for policy edits and alerts snapshots define retention s la's aligned

634
00:39:40,360 --> 00:39:47,240
to your investigative reality 180 days minimum for risky sign-ins and detections one year for

635
00:39:47,240 --> 00:39:54,840
ual 10 years for policy changes and incident evidence bundles if licensing limits apply export

636
00:39:54,840 --> 00:40:01,840
to your cm and enforce immutability at the storage layer finally preservation procedures when

637
00:40:01,840 --> 00:40:07,240
any tier two or tier alert opens auto freeze the related artifacts copy the relevant rose

638
00:40:07,240 --> 00:40:14,000
to a locked table export the policy jason snapshots and capture hashes of generated documents

639
00:40:14,000 --> 00:40:19,600
in this environment nothing is accidental your chain of custody shouldn't be either with

640
00:40:19,600 --> 00:40:26,440
evidence operationalized zero trust stops being a promise and becomes a record the only remaining

641
00:40:26,440 --> 00:40:33,360
step is to make the lesson explicit zero trust only works when identities actions policy

642
00:40:33,360 --> 00:40:39,240
edits and a i access are correlated into one defensible narrative turn that into practice

643
00:40:39,240 --> 00:40:47,080
now enable the four log sources deploy the detection recipes and use the starter KQL

644
00:40:47,080 --> 00:40:54,400
Sentinel playbooks and power b i dashboards linked here to convert traces into response subscribe

645
00:40:54,400 --> 00:40:58,240
for the deeper walkthrough and grab the query pack in the next podcast