M365 Audit Logs Zero Trust: The Microsoft 365 Audit Logs You’re Ignoring

(00:00:00) Zero Trust and Log Analysis (00:00:21) The Importance of Continuous Monitoring (00:00:37) Identity Verification: The First Line of Defense (00:01:26) Risky Sign-Ins: The Early Warning Sign (00:02:42) Combining Logs for Comprehensive Visibility (00:05:44) The Power of Lateral Movement Detection (00:07:51) Data Staging: The Next Stage of Attack (00:12:53) The Critical Role of Retention Policies (00:17:44) Copilot Interactions: A New Frontier in Detection (00:24:00) Case Study: A Quiet Data Exfiltration In this episode of M365.fm, Mirko Peters shows why Zero Trust without audit evidence is policy theater — and how to use Microsoft 365 audit logs to catch the quiet exfiltration and lateral movement your dashboards miss.WHAT YOU WILL LEARNWhy a 12,000‑file SharePoint download in 20 minutes can pass every “green” Zero Trust checkHow to fuse Entra ID sign‑in risk, Unified Audit Log events, Purview policy changes, and Copilot interactions into one coherent attack timelineThe difference between risky sign‑ins, risk detections, and workload identity anomalies — and why the retention gap mattersHow to spot the three‑stream pattern that precedes most real data staging: risk, privilege change, and data surgeHow to turn audit traces into KQL hunting queries, alerts, dashboards, and automation in Sentinel or Microsoft 365 DefenderPractical techniques for building per‑user baselines so you can see the difference between sync and stagingTHE CORE INSIGHTZero Trust is not what you configure; it’s what actually happens — and you only see that in logs. Conditional Access can “succeed” while an attacker quietly replays tokens, stages data, and widens sharing scopes.The real story starts when movement begins: inbox rules, mailbox forwarding, new sync relationships, sudden file surges, and “anyone” links — all stitched together by audit evidence.This episode argues that if you’re not joining Entra risk, Unified Audit Log events, Purview changes, and Copilot logs, you don’t have Zero Trust — you have a policy slide deck.WHY M365 AUDIT LOGS ARE YOUR REAL ZERO TRUST ENGINEEntra ID sign‑in & risk provide the prologue: risky sign‑ins, risk detections, and anomalous tokens before any data movesThe Unified Audit Log traces lateral movement across Exchange, SharePoint, OneDrive, and Teams in one placePurview audit and policy logs show when retention, labels, or DLP are quietly weakened before exfiltrationCopilot interaction logs reveal how attackers or insiders might weaponize AI to discover sensitive documents fasterCombined, these logs let you reconstruct “who did what, from where, with which privileges, to which data” — and build detections from that realityPRACTICAL DETECTION PATTERNS YOU’LL HEARRepeated medium‑risk sign‑ins from new ASNs/IPs followed by SharePoint download burstsMailbox rule creation or forwarding changes paired with sudden OneDrive/SharePoint activityNew sync clients plus hundreds of unique files touched in a short time windowSharingLinkCreated events widening scope to “Anyone” or “Organization” right before or after file surgesWHO THIS EPISODE IS FORThis episode is essential for Microsoft 365 security engineers, incident responders, SOC analysts, and cloud architects responsible for Zero Trust and data protection in M365.If your tenant looks healthy in portals but you can’t explain how you’d spot a “clean” exfiltration case, this conversation will give you concrete queries, pivots, and patterns to fix that.ABOUT THE HOSTMirko Peters is a Microsoft 365 consultant and digital workplace architect focused on building attack‑aware, evidence‑driven security programs on the Microsoft cloud.Through M365.fm, Mirko shares practical investigations, KQL approaches, and governance patterns that help security teams turn Microsoft 365 audit logs into the backbone of real Zero TrustBecome a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.