Talk

Data Sets That Can Make A Difference: Improving Your Hunting and Detection in Entra ID and O365

March 14, 16:00 (CLOUD)

For organizations using Microsoft Entra ID (the artist formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organization is using. However, this standard logging has its limits.

As a defender, this presents a set of challenges. With attacks like Golden SAML and post exploitation kits like GraphRunner, accessing the Microsoft Graph API, the backbone that services Entra ID, O365 and more, provides an adversary with a treasure trove of information to be tapped into.

To drive greater awareness, defenders need to take advantage of the visibility additional data sets provide, but perhaps aren’t aware of. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary attempting to gather information from the Graph API.

The goal of this presentation is to show how these additional Microsoft data sets, in concert with the default logging, can be effectively utilized by defenders in an attack like Golden SAML or when an adversary uses a tool like GraphRunner.

Attendees will come away from this talk with:
-A greater understanding of the kinds of activities adversaries can perform against Entra ID and O365 using the API surface
-Awareness of the logging available for the Graph API beyond the standard sign-in and audit logging
-Ideas around how to detect and hunt within Entra ID and O365 tenants for these kinds of activities

Speaker

John Stoner

John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits, WiCyS, Way West Hacking Fest, AISA and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."

Organized by

Technology partners

Partner events

Scroll to Top