For organizations using Microsoft Entra ID (the artist formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.
As a defender, this presents a set of challenges. With attacks like Golden SAML and post exploitation kits like GraphRunner, accessing the Microsoft Graph API, the backbone that services Entra ID, O365 and more, provides an adversary with a treasure trove of information to be tapped into.
To drive greater awareness, defenders need to take advantage of the visibility additional data sets provide, but perhaps aren’t aware of. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary attempting to gather information from the Graph API.
The goal of this presentation is to show how these additional Microsoft data sets, in concert with the default logging, can be effectively utilized by defenders in an attack like Golden SAML or when an adversary uses a tool like GraphRunner.
Attendees will come away from this talk with:
-A greater understanding of the kinds of activities adversaries can perform against Entra ID and O365 using the API surface
-Awareness of the logging available for the Graph API beyond the standard sign-in and audit logging
-Ideas around how to detect and hunt within Entra ID and O365 tenants for these kinds of activities