Happy Little Clouds: Painting Pictures with Microsoft Cloud and Identity Data
Matt Graeber
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
Matt Graeber, a threat researcher at Red Canary and the person who co-coined the term **"living off the land"** at DerbyCon years ago, delivered a methodical and deeply technical talk on how to assess, correlate, and tell stories with Microsoft cloud and identity log data. Channeling the spirit of Bob Ross, Graeber presented a universal methodology he calls **Minimum Viable Storytelling (MVS)** for evaluating whether any given data source contains sufficient context to observe, detect, and respond to threats. The talk then demonstrated this methodology through two practical case studies -- a suspicious inbox rule creation in Exchange Online and a privileged Azure role assignment -- including the specific correlation paths needed to connect events across Microsoft's notoriously siloed log sources.
AI review
Matt Graeber applies rigorous methodology to a problem every Microsoft shop struggles with: making sense of their cloud log data for detection and response. The Minimum Viable Storytelling framework is genuinely useful, and the detailed correlation paths between UAL events, non-interactive sign-in logs, and interactive sign-in logs are the kind of hard-won knowledge that takes months of painful Microsoft documentation archaeology to acquire on your own.