Conference Talk
Happy Little Clouds: Painting Pictures with Microsoft Cloud and Identity Data
You’re tasked with detecting an Entra ID, Azure or Microsoft 365 attack technique. Where do you start? How do you identify what data sources are available to observe the technique? Of the data sources available, what constitutes quality data with which a coherent story can be told? What are the elements of the story that needs to be told so that a responder can ask the right questions and respond with confidence? How data sources need to be correlated and can they even be directly correlated? What the heck is a SessionId versus a UniqueTokenIdentifier, how are they related, and why do they matter?
Anyone who has ever been tasked with developing detection guidance for cloud and identity threats in the Microsoft stack will know well just how fragmented and under-documented their security data sources are. This session will attempt to bring sanity to how to tell effective stories when investigating and detecting threats based on a formal methodology for assessing the quality of any given data source. Join Cloudsec Bob Ross as he reveals the art and science behind threat storytelling and learn to distinguish malicious strokes from happy little accidents.