Cloud Crime Scene: The Microsoft Forensics

1
00:00:00,000 --> 00:00:04,600
The hum of the SOC dies, the cursor stops, then.

2
00:00:04,600 --> 00:00:06,100
Nothing.

3
00:00:06,100 --> 00:00:08,760
A trillion dollar crime scene.

4
00:00:08,760 --> 00:00:10,560
Too quiet.

5
00:00:10,560 --> 00:00:12,360
Too clean.

6
00:00:12,360 --> 00:00:14,320
I don't solve breaches.

7
00:00:14,320 --> 00:00:15,880
I dissect them.

8
00:00:15,880 --> 00:00:17,680
Two cases on the slab.

9
00:00:17,680 --> 00:00:22,480
First, a click at 1/12, a session token walks out the door,

10
00:00:22,480 --> 00:00:25,680
a log in from a country the user's never seen,

11
00:00:25,680 --> 00:00:29,240
and a block lands milliseconds before the takeover.

12
00:00:29,240 --> 00:00:32,000
Second, no passwords stolen.

13
00:00:32,000 --> 00:00:33,240
No door forced.

14
00:00:33,240 --> 00:00:36,320
The victim waves a forged badge and lets the suspect in.

15
00:00:36,320 --> 00:00:37,960
One mistake let them inside.

16
00:00:37,960 --> 00:00:39,440
Will name it before the verdict?

17
00:00:39,440 --> 00:00:40,840
Stay with me.

18
00:00:40,840 --> 00:00:42,400
The logs will talk.

19
00:00:42,400 --> 00:00:43,600
They always do.

20
00:00:43,600 --> 00:00:46,880
Scale of the crime, the operating reality.

21
00:00:46,880 --> 00:00:49,240
A cold splash to wake the room.

22
00:00:49,240 --> 00:00:51,480
1/12, a user taps a fish.

23
00:00:51,480 --> 00:00:55,520
1/13, inbox rules bloom like mold.

24
00:00:55,520 --> 00:00:59,200
1/15, the mailbox bends to a strange

25
00:00:59,200 --> 00:01:00,200
creature.

26
00:01:00,200 --> 00:01:02,640
Yeah, that fast.

27
00:01:02,640 --> 00:01:04,000
Here's the asymmetry.

28
00:01:04,000 --> 00:01:07,520
They hunt in packs, write once, run forever.

29
00:01:07,520 --> 00:01:10,520
We patch by hand and pray the alerts make sense.

30
00:01:10,520 --> 00:01:14,120
So they've got time, scripts, and a market that pays in bulk.

31
00:01:14,120 --> 00:01:19,000
We've got drift, debt, and dashboards that look busy when they're blind.

32
00:01:19,000 --> 00:01:21,200
Everyone romanticizes break-ins.

33
00:01:21,200 --> 00:01:22,720
That's not how this goes.

34
00:01:22,720 --> 00:01:24,840
They don't break in, they log in.

35
00:01:24,840 --> 00:01:29,160
Tocons over passwords, consent over cracking, living off the land like they pay rent.

36
00:01:29,160 --> 00:01:36,320
A mailbox rule here, a share there, no alarms, no glass, just a clean entry and a quiet exit.

37
00:01:36,320 --> 00:01:37,680
You want motive?

38
00:01:37,680 --> 00:01:38,680
Money?

39
00:01:38,680 --> 00:01:39,680
You want means?

40
00:01:39,680 --> 00:01:40,920
Automation?

41
00:01:40,920 --> 00:01:42,760
You want opportunity?

42
00:01:42,760 --> 00:01:45,000
Our posture gone rotten.

43
00:01:45,000 --> 00:01:47,680
Baselines drift.

44
00:01:47,680 --> 00:01:49,840
Exceptions pile up.

45
00:01:49,840 --> 00:01:55,640
Legacy auth lurks in a forgotten corner, still handing out keys.

46
00:01:55,640 --> 00:02:02,600
Both out of face check, shadow sass blooms in the dark, un-vetted apps with greedy scopes

47
00:02:02,600 --> 00:02:07,400
and the SOC, alert fatigue turns a siren into a lullaby.

48
00:02:07,400 --> 00:02:11,800
The suspect walks past, hat low, bad job.

49
00:02:11,800 --> 00:02:16,880
No remorse, listen close, technology won't save you, discipline will.

50
00:02:16,880 --> 00:02:21,660
We don't need a new screen, we need an investigation habit that doesn't blink, so we draw three

51
00:02:21,660 --> 00:02:24,280
guardrails in paint that doesn't dry.

52
00:02:24,280 --> 00:02:33,080
Zero trust, every request is a suspect, identity, device, session, show your papers.

53
00:02:33,080 --> 00:02:37,040
If the travel is impossible, stop the feet mid-flight.

54
00:02:37,040 --> 00:02:40,760
If the author isn't strong, close the door.

55
00:02:40,760 --> 00:02:45,600
Shared responsibility, the cloud is their house, your data is your family, as your keeps

56
00:02:45,600 --> 00:02:49,200
the lights on, you decide who gets a key.

57
00:02:49,200 --> 00:02:53,960
Consent controls, device compliance, a short leash on third party mouths that want to

58
00:02:53,960 --> 00:02:56,400
eat your mail.

59
00:02:56,400 --> 00:03:00,480
Defense in depth, many doors, many locks.

60
00:03:00,480 --> 00:03:07,320
When a token slips, the blast radius meets a wall, browser only for strangers.

61
00:03:07,320 --> 00:03:15,480
App enforced restrictions, labels that turn stolen files into blank pages, circuit breakers,

62
00:03:15,480 --> 00:03:17,960
not comfort blankets.

63
00:03:17,960 --> 00:03:24,280
There is the tell, survivors pick consistency over clever, no quiet carve-outs for the urgent

64
00:03:24,280 --> 00:03:31,560
exec, no just this once for the road warrior, they know the rule that matters, break a guardrail

65
00:03:31,560 --> 00:03:33,800
and gravity wins.

66
00:03:33,800 --> 00:03:38,680
Remember this number, one twelve, because everything that matters starts there.

67
00:03:38,680 --> 00:03:41,960
The click isn't the crime, it's the opening narration.

68
00:03:41,960 --> 00:03:47,760
After that, identity takes the first hit and writes the first statement.

69
00:03:47,760 --> 00:03:53,520
We'll walk the tape, we'll ask one question over and over what did the identity know and

70
00:03:53,520 --> 00:03:55,480
when did it know it.

71
00:03:55,480 --> 00:04:01,720
Now the body's warm, time to lift the sheet, foundational motives, the doctrines that decide

72
00:04:01,720 --> 00:04:10,640
outcomes, every case has a philosophy behind it, hours has three guardrails, not slides.

73
00:04:10,640 --> 00:04:15,360
Zero trust first, paranoid, never wrong.

74
00:04:15,360 --> 00:04:23,560
Every request is a suspect identity shows a face, device shows a badge, session shows its

75
00:04:23,560 --> 00:04:32,600
story, no face, no entry, and when the story bends, impossible travel, jittery IPs, a token

76
00:04:32,600 --> 00:04:36,920
that smells reused, the door locks mid swing.

77
00:04:36,920 --> 00:04:42,240
That's the move that stops the fall, you don't negotiate with physics, you interrupt it.

78
00:04:42,240 --> 00:04:49,120
Case relevance you'll hear it soon, Toronto at 202, Moscow at 214, zero trust here's the

79
00:04:49,120 --> 00:04:55,040
footstep that shouldn't exist, conditional access throws the bolt, all strength raises

80
00:04:55,040 --> 00:05:00,000
the bar, legacy off, gone.

81
00:05:00,000 --> 00:05:06,480
Second guardrail, shared responsibility, the contract no one reads until the fire, as

82
00:05:06,480 --> 00:05:12,120
you're keeps the building standing, you decide who carries the keys, you police your guests,

83
00:05:12,120 --> 00:05:17,240
your contractors, your apps, Shadow SAS, that's the side door with the hinge pulled, consent

84
00:05:17,240 --> 00:05:24,600
screens with greedy scopes, an app that wants male read right to sink your calendar, cute

85
00:05:24,600 --> 00:05:30,280
until your tenant turns into a buffet, so you force an approver into the room, admin consent

86
00:05:30,280 --> 00:05:36,600
workflow, consent policies that fence the scopes, defender for cloud apps watching the hallway

87
00:05:36,600 --> 00:05:42,400
cams after you sign the ledger, third guardrail, defense in depth because one lock fails, they

88
00:05:42,400 --> 00:05:47,960
always fail, what matters is the next lock, and the one after that, token slips, blast

89
00:05:47,960 --> 00:05:53,400
radius meets a wall, browser only for the unknown app enforced restrictions so files open like

90
00:05:53,400 --> 00:06:01,380
exhibits, not loot, labels that wrap content in steel, steal the file, enjoy the safe,

91
00:06:01,380 --> 00:06:07,820
you want case ties, you'll get them, when the inbox ruled blooms, it won't bloom for,

92
00:06:07,820 --> 00:06:14,820
when the token replays the replay hits tempered glass, when the device twitches defender isolates,

93
00:06:14,820 --> 00:06:22,140
when the query spike sentinel stitches the chain, depth buys time, time buys containment,

94
00:06:22,140 --> 00:06:30,500
now behavior, the part no tool can fake, survivors don't improvise, they rehearse, they set baselines,

95
00:06:30,500 --> 00:06:36,860
they keep them tight, they don't write exceptions for urgent execs or road show heroes, they

96
00:06:36,860 --> 00:06:42,140
know just this once is the preamble to we never saw it coming, so here's the rule I work

97
00:06:42,140 --> 00:06:48,020
by, every doctrine is a guardrail, break one and the attacker doesn't need brilliance, they

98
00:06:48,020 --> 00:06:53,700
need gravity, listen for the question again, what did the identity know, when did it know

99
00:06:53,700 --> 00:06:58,940
it, because doctrine isn't theory here, it's a clock you can hear, zero trust is the

100
00:06:58,940 --> 00:07:06,940
tick, shared responsibility is the talk, defense and depth is the spring that keeps them honest,

101
00:07:06,940 --> 00:07:12,260
and when a token walks, when an app waves a forged badge, when a sign in lands from a sky

102
00:07:12,260 --> 00:07:18,340
the user never flew, these guardrails decide outcomes, not the logo in the corner, not the

103
00:07:18,340 --> 00:07:27,220
heat map, guardrails, now lift your eyes to the corridor ahead, identity lies there,

104
00:07:27,220 --> 00:07:36,380
not dead, just quiet, logs still warm, we'll read them like last words, and if the doctrine

105
00:07:36,380 --> 00:07:42,100
holds the body talks, if it doesn't the fall already happened, we move lights low, notebook

106
00:07:42,100 --> 00:07:48,820
open, tick, talk, identity, the first victim, the first detective, identity lies in the corridor,

107
00:07:48,820 --> 00:07:56,020
not dead, just quiet, logs still warm, I crouch beside it and ask the only question that

108
00:07:56,020 --> 00:08:02,100
matters, what did the identity know, and when did it know it?

109
00:08:02,100 --> 00:08:11,880
The soft timestamp beep answers me, O2O2, O214, O215, heartbeat under the sheet, Entra ID

110
00:08:11,880 --> 00:08:19,420
plays back the pulse, sign in risk first, a familiar name from an unfamiliar sky, Toronto

111
00:08:19,420 --> 00:08:27,940
at lunch, Moscow before the coffee cools, high-risk stamped in red ink the user never sees,

112
00:08:27,940 --> 00:08:34,860
user risk follows, credentials showing up where they don't live, paste sites, trade boards,

113
00:08:34,860 --> 00:08:41,780
signals that smell like a wallet left open, again, device posture steps forward like a

114
00:08:41,780 --> 00:08:48,460
nurse with a chart, compliance, encryption, patch level, if the answers stutter, the

115
00:08:48,460 --> 00:08:54,840
bouncer hears it, conditional access waits at the door, it doesn't smile, geos says no,

116
00:08:54,840 --> 00:09:01,180
device says prove it, client app says browser only, all strength asks for a key that can't

117
00:09:01,180 --> 00:09:09,860
be copied, no face, no entry, identity protection does the profiling work no human has time to do,

118
00:09:09,860 --> 00:09:17,540
impossible travel plots the jump on a cold map, token anomalies glint like a reused shell casing,

119
00:09:17,540 --> 00:09:24,260
risky sessions move against the grain of the user's normal day, another time stamp chirps,

120
00:09:24,260 --> 00:09:33,540
O212, attempted sign in from an IP that tries too hard to be ordinary, two failed prompts,

121
00:09:33,540 --> 00:09:39,820
one replayed token, same claims, different device, yeah, they didn't break in, they tried

122
00:09:39,820 --> 00:09:46,180
to log in with a face they stole, kill switches live under glass for a reason, high user risk

123
00:09:46,180 --> 00:09:54,100
block, that's the breaker, no more grace, legacy auth deny, that's the padlock on the old door,

124
00:09:54,100 --> 00:09:59,700
everyone meant to seal device code flow block, that trick where a screen says type this code over

125
00:09:59,700 --> 00:10:11,380
there, not tonight, I hear the pushback already, contractors, BYOD, real life, so we draw a thin line

126
00:10:11,380 --> 00:10:18,100
and make it steel, browser only unmanaged app enforced restrictions in the session, you can view,

127
00:10:18,100 --> 00:10:24,340
you can edit, you can't download print or sync, no local copy for a thief to love later,

128
00:10:24,340 --> 00:10:32,980
the hum of the SOC is still low, too low, the analyst on night shift never saw the rule bloom, no one would,

129
00:10:32,980 --> 00:10:39,060
not with alert fatigue humming like white noise, so I keep asking what did the identity know,

130
00:10:39,060 --> 00:10:44,500
when did it know it, entra answers with another line of truth, attempted log in at O214,

131
00:10:44,500 --> 00:10:53,860
origin, Moscow, user location, Toronto, risk level, high, MFA challenge, failed, a log line appears,

132
00:10:53,860 --> 00:11:00,180
a timestamp beeps, I don't need graphics, I need that sound, patents, titan, conditional access

133
00:11:00,180 --> 00:11:08,660
rejects the hop mid air, auth strength shifts from sum to fish resistant, no hardware key, no passage,

134
00:11:09,060 --> 00:11:15,220
legacy protocols knock once and hear nothing back, identity rolls over and points toward the door we

135
00:11:15,220 --> 00:11:23,060
haven't opened yet, the mailbox, the rule, the quiet cut, I catalog the telltales before we move,

136
00:11:23,060 --> 00:11:30,500
sign in risk spikes when geography lies, user risk spikes when secrets leak in places they don't

137
00:11:30,500 --> 00:11:36,980
belong, device posture saves you when a token tries to impersonate a device it's never met,

138
00:11:38,260 --> 00:11:44,980
kills switches stop the harm while you think, discipline isn't a slide it's a reflex, one more time

139
00:11:44,980 --> 00:11:53,220
stamp, two seventeen, it lingers like a last breath, identity isn't the suspect here, it's the witness,

140
00:11:53,220 --> 00:11:58,580
we lift it carefully we thank it for the story and we follow its finger to the tape,

141
00:11:58,580 --> 00:12:05,620
where the click lives, where the rule blooms, where the token walks out under a borrowed face,

142
00:12:05,620 --> 00:12:16,260
the body's quiet now, the corridor isn't, we move the reenactment, fish, token theft, impossible

143
00:12:16,260 --> 00:12:23,220
travel, one twelve, subject line urgent verify your account, sender spoofed, domain off by a letter,

144
00:12:23,220 --> 00:12:31,140
link dressed in corporate blue, the click, a page that looks right but breathes wrong, TLS is valid,

145
00:12:31,140 --> 00:12:39,460
the form is neat, credentials typed, MFA completed, session born, no alarms, no glass,

146
00:12:39,460 --> 00:12:47,380
a cookie drops, the token leaves with the referra like a pick pocket, slipping out the side door,

147
00:12:47,380 --> 00:12:58,900
quiet, clean, a ticking bomb, there are thirteen, inbox rules bloom, move messages from CEO

148
00:12:58,900 --> 00:13:06,660
to RSS feeds, a neat hide, forward anything with wire, invoice urgent, the user never sees the bait go

149
00:13:06,660 --> 00:13:16,740
missing, the attacker reads without being seen, was it password spray, no MFA fatigue, not this time,

150
00:13:16,740 --> 00:13:28,420
the password worked once, the token works again and again, one fourteen, a second machine wakes in

151
00:13:28,420 --> 00:13:34,580
another sky, the token gets replayed, same user same claims different device different continent,

152
00:13:34,580 --> 00:13:44,580
I hear the timestamp beep, O214, attempted login, origin, Moscow, user location, Toronto,

153
00:13:44,580 --> 00:13:49,220
risk, high MFA challenge, failed,

154
00:13:52,020 --> 00:13:58,740
Entra doesn't like ghosts that travel faster than physics, conditional access raises the bar,

155
00:13:58,740 --> 00:14:06,340
mid air, impossible travel checked, session claims examined, auth strength tightened,

156
00:14:06,340 --> 00:14:15,860
no hardware key, denied, they try again, another IP tries too hard to look boring, autonomous,

157
00:14:15,860 --> 00:14:26,340
scripted, no remorse, defandr sees the mailbox twitch, O812, suspicious inbox rule created, 0814,

158
00:14:26,340 --> 00:14:32,820
token replay identified, O815 endpoint isolated by automated response,

159
00:14:32,820 --> 00:14:41,620
O816 malicious process blocked, I start a countdown in my head, 90 seconds to cut access, 30 to isolate,

160
00:14:42,260 --> 00:14:49,140
10 to revoke, the first cut, revoke sessions, invalidate the token family,

161
00:14:49,140 --> 00:14:55,620
close every borrowed face at once, break the attacker's oxygen line, the second cut,

162
00:14:55,620 --> 00:15:00,980
kill the rule, purge the mailbox filter, restore visibility to the victim's eyes,

163
00:15:00,980 --> 00:15:09,300
the third cut, reset credentials with fish resistant enrollment, temporary access pass to bridge

164
00:15:09,300 --> 00:15:17,220
the MFA gap, Fido key to close it, Sentinel stitches the chain, KQL stays off the tape, the story doesn't,

165
00:15:17,220 --> 00:15:25,620
three high risk sign-ins, five failed MFA prompts, token replay across Geos, unusual mailbox rule creation,

166
00:15:25,620 --> 00:15:31,540
one incident, too clean to be random, the attacker pivots, SharePoint pings,

167
00:15:31,540 --> 00:15:37,540
download attempts whisper against policy, app enforced restrictions turn looting into viewing,

168
00:15:38,180 --> 00:15:45,140
files open like exhibits not loot, information protection wraps the content, labels hold, encryption

169
00:15:45,140 --> 00:15:52,660
stays married to identity, steal the file, enjoy the safe, compliance steps in with the evidence bag,

170
00:15:52,660 --> 00:16:00,340
a folder opens, he discovery bags the window, accessed 42 sensitive files between 0,210 and

171
00:16:00,340 --> 00:16:09,380
0,218, then a smudge, a metadata fingerprint, 0,217, a timestamp mismatch on one file,

172
00:16:09,380 --> 00:16:16,660
touched without a matching sign-in, token, replay heat, they didn't have the password then,

173
00:16:16,660 --> 00:16:22,740
they had a session, I check the body language of the logs, user risk rises where it shouldn't,

174
00:16:22,740 --> 00:16:30,180
sign-in risk spikes on a route no plane can fly, device posture refuses to lie for a stranger,

175
00:16:31,060 --> 00:16:38,820
we press the emergency glass, high user risk block engages, legacy auth deny keeps the old door welded,

176
00:16:38,820 --> 00:16:44,660
device code flow block shuts the type this code over there, hustle, the room gets louder,

177
00:16:44,660 --> 00:16:52,020
the SOC hum climbs from flatline to a steady rhythm, analysts read the same clock, tick,

178
00:16:52,020 --> 00:17:00,100
enter, talk, defender, tick, sentinel, talk, compliance, security copilot takes the stand,

179
00:17:00,100 --> 00:17:08,420
no magic, just time saved, summary, fishing led to token theft, token replay from foreign IP,

180
00:17:08,420 --> 00:17:15,380
inbox rule created to conceal executive mail, conditional access blocked impossible travel,

181
00:17:15,380 --> 00:17:21,380
sessions revoked and point isolated, no confirmed exfiltration, protected data remained unreadable,

182
00:17:21,380 --> 00:17:29,300
we replay the beats to be sure, the click, the token walks, the foreign hop,

183
00:17:29,300 --> 00:17:38,740
the bounce of slams the door, the rule gets erased, the session family dies, the files stay locked,

184
00:17:38,740 --> 00:17:45,540
the tenant breathes, could they have slipped farther, only if the guardrails were soft, if legacy auth

185
00:17:45,540 --> 00:17:53,860
stayed open, if browser only wasn't enforced, if labels were just stickers, if just this once lived

186
00:17:53,860 --> 00:18:03,060
in policy, the mistake, it wasn't the click, clicks happen, it was the gap where tokens out ran

187
00:18:03,060 --> 00:18:09,540
trust, where auth strength couldn't be raised on the fly, where device trust wasn't demanded for

188
00:18:09,540 --> 00:18:16,180
sensitive work, we close that gap with posture, not posters, raise authentication strength by context,

189
00:18:16,180 --> 00:18:24,100
require compliant devices for finance, legal, HR, attach authentication context to what matters,

190
00:18:24,100 --> 00:18:31,700
force the second door every time, the attacker fades when the oxygen fades attempts keep coming from

191
00:18:31,700 --> 00:18:43,780
the cold, denied on sight, no face, no entry, the hum settles, not quiet, alive, we bag the evidence,

192
00:18:43,780 --> 00:18:50,100
we keep the fingerprints, we learn the rhythm, and then I ask the question one more time,

193
00:18:50,100 --> 00:18:57,380
what did the identity know and when did it know it, identity points past the token,

194
00:18:57,380 --> 00:19:05,060
past the rule to a different trick, no broken lock, no replay, a badge waved at the door,

195
00:19:05,060 --> 00:19:12,420
and the door smiling back, we turn to the next case, the consent that felt like convenience,

196
00:19:12,420 --> 00:19:18,260
the forged badge that looked like trust, the kind of break in where no glass breaks,

197
00:19:18,260 --> 00:19:25,620
yeah that one, the twist, OAuth consent grant attack, the attacker didn't break in,

198
00:19:25,620 --> 00:19:32,340
the victim opened the door, a polite email, connect this app to sync your calendar, corporate colors,

199
00:19:32,340 --> 00:19:38,900
a tidy logo, the link lands clean, consent screen, this app would like to, read your mail,

200
00:19:38,900 --> 00:19:44,580
access your files, maintain access, the scopes are greedy, the badge looks official,

201
00:19:44,580 --> 00:19:53,540
the user clicks, accept, no password stolen, no glass, just a broken trust, OAuth hands a token to an app

202
00:19:53,540 --> 00:20:01,460
that tenant never met, legit keys, illegitimate hands, the door smiles back, I hear the soft consent

203
00:20:01,460 --> 00:20:08,020
chime in my head, that's the tell I've learned to hate, the logs don't shout, they nod,

204
00:20:08,020 --> 00:20:15,380
new enterprise app added, publisher unfamiliar permissions too tall for the job, why does a

205
00:20:15,380 --> 00:20:23,460
calendar tool want mail, read write files, read all offline access, the forged badge waves,

206
00:20:23,460 --> 00:20:31,700
security looks from across the lobby too far, too late, this isn't intrusion, it's delegation,

207
00:20:31,700 --> 00:20:38,180
the tenant says, you can act as me, defender sees authorized access,

208
00:20:38,180 --> 00:20:43,940
entress signs the pass, Sentinel reads movement, not motive, and the app moves like it belongs,

209
00:20:43,940 --> 00:20:50,580
evidence rolls in quiet waves, throttled graph calls, mail search patterns that skim,

210
00:20:50,580 --> 00:20:58,020
not dive, list drives, enumerate sites, sample, sample, sample, never enough to trip crude

211
00:20:58,020 --> 00:21:03,380
thresholds, just enough to pocket a few secrets and walk away, we test the hinges.

212
00:21:03,380 --> 00:21:10,580
Admin consent workflow put an approver in the room, no loan clicks with corporate keys,

213
00:21:10,580 --> 00:21:16,980
consent policies, fence the scopes, ban unknown publishers from asking for God's wallet,

214
00:21:16,980 --> 00:21:21,940
and after the signature watch the halls, defender for cloud apps tracks the gate,

215
00:21:21,940 --> 00:21:27,140
new app pulling mail across departments, query rate unusual for stated purpose,

216
00:21:27,140 --> 00:21:33,780
the hallway cams don't sleep, I replay the scene for the tape, the pitch, the click, the badge,

217
00:21:33,780 --> 00:21:40,020
the pass, the quiet harvest, no MFA prompt to fight, no device post you to fail,

218
00:21:40,020 --> 00:21:45,300
because the trust is real, just misplaced. We pull the levers that matter,

219
00:21:45,300 --> 00:21:49,300
revoke the app's grants, disable user consent for risky scopes,

220
00:21:49,300 --> 00:21:56,740
require admin review for anything that touches mail, files directory, set consent filters,

221
00:21:56,740 --> 00:22:02,820
block multi-tenant unverified publishers, publish an allow list, everyone else waits in the lobby,

222
00:22:02,820 --> 00:22:08,660
I leave one line on the wall, trust the app, lose the tenant, and another for the ones who still want

223
00:22:08,660 --> 00:22:17,380
convenience, convenience is a suspect that smiles, the hum of the SOC deepens, not panic, resolve,

224
00:22:17,380 --> 00:22:24,420
the crew knows the trick now, the next forged badge hits a locked turn style, we log the case,

225
00:22:24,420 --> 00:22:30,740
then we move to the locker where truth doesn't rust, compliance, the evidence locker,

226
00:22:30,740 --> 00:22:36,740
without compliance telemetry the reenactment is gossip, with it its testimony, a drawer slides,

227
00:22:38,100 --> 00:22:47,140
a folder opens, quiet, but final, insider risk lights a narrow beam first,

228
00:22:47,140 --> 00:22:54,180
unusual access patterns spike in the breach window, a user who reads five files in our reads

229
00:22:54,180 --> 00:23:02,020
215 minutes, that's not work, that's a sweep, information protection answers with steel, labels aren't

230
00:23:02,020 --> 00:23:09,460
stickers, their locks married to identity, the stolen files open as blanks outside policy,

231
00:23:09,460 --> 00:23:15,060
the attacker lifts a safe, not the contents, no remorse there but no payoff either,

232
00:23:15,060 --> 00:23:23,700
discovery bags the timeline, who touched what, when, from where, chain of custody stamped, not guessed,

233
00:23:23,700 --> 00:23:30,500
we export the slice 0210 to 0218 and the numbers don't lie, 42 sensitive files accessed,

234
00:23:30,500 --> 00:23:36,580
one timestamp out of cadence 0217, matching the token replay we already pinned,

235
00:23:36,580 --> 00:23:43,380
the fingerprint in metadata that ties motive to method, records management stands behind the glass

236
00:23:43,380 --> 00:23:51,620
with a ledger that doesn't forget, immutable retention audit trails that testify, no we think,

237
00:23:51,620 --> 00:23:58,260
only here it is, a story that holds up under lights, I narrate the case to the room,

238
00:23:58,260 --> 00:24:06,500
low and slow, evidence shows access attempt via token replay, evidence shows mailbox rule creation,

239
00:24:06,500 --> 00:24:14,580
evidence shows post consent app behavior inconsistent with declared purpose, labels blocked exfiltration,

240
00:24:14,580 --> 00:24:21,700
sessions revoked, app grants removed, no data rendered readable outside policy, no drama,

241
00:24:21,700 --> 00:24:28,740
just gravity, this is why we drill before the breach, preserve first, analyze second, narrate last,

242
00:24:28,740 --> 00:24:34,020
because if you mix the order, you smear the prints, the locker closes with a soft click,

243
00:24:34,020 --> 00:24:41,300
the lesson isn't the tools, it's the habit, compliance isn't paperwork, it's the chain that turns

244
00:24:41,300 --> 00:24:48,020
logs into proof and proof into a verdict, the room breathes, we've got a clean timeline,

245
00:24:48,020 --> 00:24:54,900
the next move isn't panic, it's training, the boot camp reveal, training digital detectives,

246
00:24:54,900 --> 00:25:02,660
unprepared defenders lose, trained investigators win, we don't teach tools, we teach process,

247
00:25:02,660 --> 00:25:09,540
zero trust in motion, identity timelines you can read by ear, conditional access baselines that

248
00:25:09,540 --> 00:25:16,340
hold under pressure, defender and sentinel as frameworks, not wallpaper, compliance as chain of

249
00:25:16,340 --> 00:25:21,300
custody, not paperwork, you'll work a live breach, you'll follow the footprints, you'll run the

250
00:25:21,300 --> 00:25:28,340
queries, you'll decide where the trail leads, before you hear alerts, after you hear confessions,

251
00:25:28,340 --> 00:25:36,180
day two before lunch, one attendee spots a consent grant with greedy scopes and stops it at the door,

252
00:25:36,180 --> 00:25:43,220
they didn't guess, they followed the doctrine, under the hood, everything we drill lines up with the

253
00:25:43,220 --> 00:25:52,020
sc900 fundamentals, Microsoft security, compliance and identity, but we don't teach it like an exam,

254
00:25:52,020 --> 00:25:59,140
we teach it like a case file, you leave with a pack, zero trust IR checklist, hunting starters,

255
00:25:59,140 --> 00:26:07,620
CA policy set, compliance map, the flow you memorize validate identity, block risk, contain device,

256
00:26:08,180 --> 00:26:14,900
investigate tenant, preserve evidence, you don't need brilliance, you need discipline,

257
00:26:14,900 --> 00:26:22,500
we teach that discipline, attackers aren't brilliant, they're patient, the room won't be silent

258
00:26:22,500 --> 00:26:28,740
anymore if you know what to listen for, the truth lives in the timeline, enrol, become the

259
00:26:28,740 --> 00:26:35,460
analyst who can reconstruct, contain and prevent, don't let your tenant become another case file,

260
00:26:35,460 --> 00:26:37,580
not on your shift.