John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users’ capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits, WiCyS, Way West Hacking Fest, AISA, Insomni’hack and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as “80s sad-timey music.”
X (Twitter): @stonerpsu
Defending Entra ID and Office 365 Using the Prism of GraphRunner (<– add to your schedule)
For organizations using Microsoft Entra ID and O365, it’s important to understand the landscape of the Graph API, how data is accessed and the logs available to gain visibility into probes and attacks that are targeting users and their information stores.
To drive this awareness, I’ve chosen to use a red team toolkit called GraphRunner that empowers offensive cyber practitioners an easy to use method to get started probing Microsoft Entra ID and Office 365 tenants. On the flip side of this, we are going to take a look at the logs generated by GraphRunner in a simulated attack chain to better understand what a blue teamer might see and how they can build detections and hunt, not just for GraphRunner, but for suspicious activities occurring within their Entra ID and Office 365 tenant.