Episode Details
Back to Episodes
M365 Audit Logs Zero Trust: The Microsoft 365 Audit Logs You’re Ignoring
Season 1
Published 4 months, 2 weeks ago
Description
(00:00:00) Zero Trust and Log Analysis
(00:00:21) The Importance of Continuous Monitoring
(00:00:37) Identity Verification: The First Line of Defense
(00:01:26) Risky Sign-Ins: The Early Warning Sign
(00:02:42) Combining Logs for Comprehensive Visibility
(00:05:44) The Power of Lateral Movement Detection
(00:07:51) Data Staging: The Next Stage of Attack
(00:12:53) The Critical Role of Retention Policies
(00:17:44) Copilot Interactions: A New Frontier in Detection
(00:24:00) Case Study: A Quiet Data Exfiltration
In this episode of M365.fm, Mirko Peters shows why Zero Trust without audit evidence is policy theater — and how to use Microsoft 365 audit logs to catch the quiet exfiltration and lateral movement your dashboards miss.
WHAT YOU WILL LEARN
Zero Trust is not what you configure; it’s what actually happens — and you only see that in logs. Conditional Access can “succeed” while an attacker quietly replays tokens, stages data, and widens sharing scopes.
The real story starts when movement begins: inbox rules, mailbox forwarding, new sync relationships, sudden file surges, and “anyone” links — all stitched together by audit evidence.
This episode argues that if you’re not joining Entra risk, Unified Audit Log events, Purview changes, and Copilot logs, you don’t have Zero Trust — you have a policy slide deck.
WHY M365 AUDIT LOGS ARE YOUR REAL ZERO TRUST ENGINE
(00:00:21) The Importance of Continuous Monitoring
(00:00:37) Identity Verification: The First Line of Defense
(00:01:26) Risky Sign-Ins: The Early Warning Sign
(00:02:42) Combining Logs for Comprehensive Visibility
(00:05:44) The Power of Lateral Movement Detection
(00:07:51) Data Staging: The Next Stage of Attack
(00:12:53) The Critical Role of Retention Policies
(00:17:44) Copilot Interactions: A New Frontier in Detection
(00:24:00) Case Study: A Quiet Data Exfiltration
In this episode of M365.fm, Mirko Peters shows why Zero Trust without audit evidence is policy theater — and how to use Microsoft 365 audit logs to catch the quiet exfiltration and lateral movement your dashboards miss.
WHAT YOU WILL LEARN
- Why a 12,000‑file SharePoint download in 20 minutes can pass every “green” Zero Trust check
- How to fuse Entra ID sign‑in risk, Unified Audit Log events, Purview policy changes, and Copilot interactions into one coherent attack timeline
- The difference between risky sign‑ins, risk detections, and workload identity anomalies — and why the retention gap matters
- How to spot the three‑stream pattern that precedes most real data staging: risk, privilege change, and data surge
- How to turn audit traces into KQL hunting queries, alerts, dashboards, and automation in Sentinel or Microsoft 365 Defender
- Practical techniques for building per‑user baselines so you can see the difference between sync and staging
Zero Trust is not what you configure; it’s what actually happens — and you only see that in logs. Conditional Access can “succeed” while an attacker quietly replays tokens, stages data, and widens sharing scopes.
The real story starts when movement begins: inbox rules, mailbox forwarding, new sync relationships, sudden file surges, and “anyone” links — all stitched together by audit evidence.
This episode argues that if you’re not joining Entra risk, Unified Audit Log events, Purview changes, and Copilot logs, you don’t have Zero Trust — you have a policy slide deck.
WHY M365 AUDIT LOGS ARE YOUR REAL ZERO TRUST ENGINE
- Entra ID sign‑in & risk provide the prologue: risky sign‑ins, risk detections, and anomalous tokens before any data moves
- The Unified Audit Log traces lateral movement across Exchange, SharePoint, OneDrive, and Teams in one place
Listen Now
Love PodBriefly?
If you like Podbriefly.com, please consider donating to support the ongoing development.
Support Us